Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plz advise on this~


  • Please log in to reply
35 replies to this topic

#1 iceman127

iceman127

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 12 December 2008 - 09:06 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:15 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2694 bytes


I am recently run combofix to fix a problem wif kamsoft.exe and ckvo.exe problem on my computer and my external but still find vamsoft.exe problem still exsist on my computer. Plz help me and advise me on how to remove this problem and how to prevent infections like this. Thank a lot in advance

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 12 December 2008 - 03:15 PM

Hi iceman127,

I am recently run combofix to fix a problem wif kamsoft.exe and ckvo.exe problem on my computer and my external but still find vamsoft.exe problem still exsist on my computer. Plz help me and advise me on how to remove this problem and how to prevent infections like this. Thank a lot in advance

Combofix is a specialist tool with the potential to wreck your computer if used incorrectly. It should only be used under instruction.

Please uninstall that version as follows if you still have it:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK ](case insensitive)
  • Posted Image
  • When shown the disclaimer, Select "2"

    The above procedure will

  • Delete ComboFix and its associated files and folders.
Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe

Close all open Windows except Hijackthis and click on "fix Checked".

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 12 December 2008 - 10:11 PM

Thank you, Joe for your advice here is the Log on Combofix for my computer.


ComboFix 08-12-12.02 - William 2008-12-13 11:07:15.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.745 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\vbsdfe0.dll
c:\windows\system32\vbsdfe1.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-12 19:31 . 2008-12-13 11:03 108,526 -r-hs---- c:\windows\system32\vamsoft.exe
2008-12-12 19:31 . 2008-12-02 10:11 106,320 -r-hs---- C:\6fnlpetp.exe
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-12 23:52 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:19 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-04 01:35 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-04 01:35 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


HiJackThis Log:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVIVO Codecs
CCleaner (remove only)
Combined Community Codec Pack 2008-01-24
Command & Conquer™ Red Alert™ 3
Garena
Gigabyte Raid Configurer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
MapleStory
Marvell Miniport Driver
MetaProducts Download Express
Microsoft .NET Framework 2.0
Microsoft Office 2000 Professional
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
Nero Suite
PhotoAlbum Add-In
Realtek High Definition Audio Driver
VLC media player 0.9.4
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Service Pack 2
WinRAR archiver


It seems my external drives are infected too with the vamsoft.exe and kamsoft.exe is there anyway to remove that too?

Edited by iceman127, 12 December 2008 - 10:16 PM.


#4 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 13 December 2008 - 07:51 AM

Hi iceman127,

You did not include a new Hijackthis log with your post so I can't see if my fix worked or not. Can you do another HJT scan and post the log please.

Do you recognise this?:
C:\6fnlpetp.exe

Can you tell me if you have a firewall and anti-virus programmes on this computer? If so tell me what they are please?

As to your external drives, please don't use them until we get this cleared up. What evidence do you have they are infected and let me know which external drive you are referring to?

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#5 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 13 December 2008 - 08:32 AM

Sorry about the missing log file here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:13 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2638 bytes

I have a maxtor external hard disk storage i am not sure if it is infected as there was a case of ckvo.exe which copied itself onto all the flash drive and external hard disk. I have performed a Combofix on it the same time together on my com which successful removed them from all my hard disk and flash drives as there is no more ckvo.exe appearing on my com when i plug in one of the drives. I just want confirm if there is anymore infections on my external storage by using a recommended method from experts like yourself.

And no i don know what is C:\6fnlpetp.exe for.
I am not using any anti virus and firewall program except the Windows Firewall which is included in the OS.
Thanks.

Edited by iceman127, 13 December 2008 - 08:36 AM.


#6 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 13 December 2008 - 10:10 AM

Hi iceman127,

Thanks for all that information, very helpful.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

All three of those entries are missing from your new HJT log which is good. I imagine the file is still on the hard drive though.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad*

Copy and paste all the text in the quotebox below into it:


KillAll::

File::
c:\windows\system32\vamsoft.exe
C:\6fnlpetp.exe

ADS::
C:\windows\system32


Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Posted Image

If the image isn't visible Click Here to view.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

I suggest running a search on your removable drives to see if these files are present and if they are delete them.
Normally such drives are storage only.

Post the following:
  • A new Hijackthis log
  • The Combofix report.

We can attend to your securities after this is resolved. Please do not use this computer in the meantime to access the Internet other that in connection with this fix as you are likely to get re-infected.

This may not remove all the infections present. It is important that you post back and complete the fix.

Please post in this thread for further review and evaluation.
Please provide details of any problems you encountered whilst performing the above steps & update us on how the Computer is running.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#7 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 December 2008 - 01:26 AM

Hi, I have done a separated combofix on 2 of my external hard disk . The 2 external hard disk storage are Seagate and Maxtor.

I first plugged in my Seagate Storage and the virus vamsoft.exe and kamsoft.exe all reappeared but there was no reappear of ckvo.exe in my msconfig startup list. And there was a program stall when i first started combofix but i restarted the com and everything went smooth and i unplugged my Seagate storage.

Next after the 1st Combofix is done i plugged in my Maxtor storage and I detect no virus on my msconfig startup list and i ran the Combofix and everything was smooth.



Here is the ComboFix log with my Seagate external hard disk:

ComboFix 08-12-12.02 - William 2008-12-14 13:54:11.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.734 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\6fnlpetp.exe
c:\windows\system32\vamsoft.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6fnlpetp.exe
C:\autorun.inf
C:\e.cmd
C:\h3.bat
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\vamsoft.exe
c:\windows\system32\vbsdfe0.dll
E:\1u0o8bnq.cmd
E:\Autorun.inf
E:\e.cmd
E:\h3.bat
E:\vva0hc0p.cmd
E:\xk2n.bat

.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-13 21:45 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 05:40 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-vamsoft - c:\windows\system32\vamsoft.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 13:55:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 13:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 05:56:40
ComboFix2.txt 2008-12-13 03:08:27
ComboFix3.txt 2008-12-12 15:47:15

Pre-Run: 98,719,748,096 bytes free
Post-Run: 98,726,141,952 bytes free

162



HiJackThis Log with my Seagate external hard disk storage:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:00 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2592 bytes



This is the ComboFix log with my Maxtor external hard disk:

ComboFix 08-12-12.02 - William 2008-12-14 14:02:35.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.726 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\6fnlpetp.exe
c:\windows\system32\vamsoft.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-13 21:45 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 05:40 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 14:04:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 14:05:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 06:05:00
ComboFix2.txt 2008-12-14 05:56:42
ComboFix3.txt 2008-12-13 03:08:27
ComboFix4.txt 2008-12-12 15:47:15

Pre-Run: 98,718,785,536 bytes free
Post-Run: 98,708,537,344 bytes free

144



HijackThis log with my Maxtor external hard disk:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:44 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2592 bytes


Plz advice on any thing there seems to be a problem on my computer and my 2 hard drives. I would like to know if there is anything to prevent an infection from copying itself to my hard disk when i plug it in if there is.
If there is anything that u wish to know of plz inform me.
Thanks once again. :thumbsup:

Edited by iceman127, 14 December 2008 - 01:27 AM.


#8 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 14 December 2008 - 07:28 AM

Hi iceman127,

I have done a separated combofix on 2 of my external hard disk . The 2 external hard disk storage are Seagate and Maxtor.

I don't think that works because I assume your removable storage disks would be assigned different drive letters. Can you tell me which drive letters assigned to these drives and are the connected via a USB connection?
All those scans relate to the C drive only which I assume is the root directory.
I see this Computer also has Raid, how many internal hard drives does it have?
Can you post the full configuration and include the number of partitions.
In fact I think it would be good to post the computer specification as well.

I notice in both Combofix scans it threw up the same infections which suggestit is being reloaded.

Also this entry is shown in the HJT scan:

O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe

taskmgr.exe is a legitimate file but it could also be malware. It normally resides in these Directories:
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf
C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe
C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe

Do you know anything about your file?

I do not want to remove yet, as although unlikely, it may be perfectly legitimate.

Can you go to the Scheduled Tasks in Control Panel and post a copy of any scheduled tasks on there? let me know if you created them yourself.

Then run combofix again. run a normal scan without connecting any of your external storage drives and post the report. What I want to do is clean up the computer first before turning our attention to your external storage drives.
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Joe.

Edited by Joe - London, 14 December 2008 - 07:32 AM.

If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#9 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 December 2008 - 08:31 AM

ComboFix Log:


ComboFix 08-12-12.02 - William 2008-12-14 21:14:41.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.745 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-14 17:08 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 10:44 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-04 01:35 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-04 01:35 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 21:15:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-14 21:15:49
ComboFix-quarantined-files.txt 2008-12-14 13:15:44
ComboFix2.txt 2008-12-14 06:05:03
ComboFix3.txt 2008-12-14 05:56:42
ComboFix4.txt 2008-12-13 03:08:27
ComboFix5.txt 2008-12-14 13:14:32

Pre-Run: 98,704,777,216 bytes free
Post-Run: 98,703,642,624 bytes free

135



HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:25 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2515 bytes

Hi, this logs are the lastest. Both my external Storage are connected via a USB connection which is Drive E: for both as i separately scan which means after my 1st scan with the Seagate Storage drive, I unplugged it and plug in my Maxtor Storage and made another scan.

For what i know when i plug in my Seagate Storage my computer was infected once again with the same problems.
For the Maxtor Storage i plugged in my com was not infected with anything of i know of.

My computer as no partition as i know of and i only have 1 internal hard disk in my computer.

My Scheduled Tasks has no tasks at all except a "Add Scheduled Tasks" button.

For the entry: "O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe" i did a file search for taskmgr.exe and i click on the properties of it it seems perfectly legitimate as it shows it was a program from Microsoft company so i assume its either came with the OS or the Service Pack 2 Update.

Edited by iceman127, 14 December 2008 - 08:43 AM.


#10 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 14 December 2008 - 09:05 AM

Hi iceman127,

For the entry: "O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe" i did a file search for taskmgr.exe and i click on the properties of it it seems perfectly legitimate as it shows it was a program from Microsoft company so i assume its either came with the OS or the Service Pack 2 Update.

However as I said that file shouldn't be where it is and it shouldn't be running. As HJT won't touch it lets remove it with Combofix.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad*

Copy and paste all the text in the quotebox below into it:


KillAll::

File::
c:\docume~1\William\taskmgr.ex


ADS::
C:\windows\system32

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Posted Image

If the image isn't visible Click Here to view.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#11 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 December 2008 - 10:17 AM

Done as instructed by u:

ComboFix 08-12-12.02 - William 2008-12-14 23:12:42.15 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.745 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\docume~1\William\taskmgr.ex
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-14 17:08 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 10:44 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-04 01:35 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-04 01:35 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 23:14:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 23:15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 15:15:10
ComboFix2.txt 2008-12-14 13:15:50
ComboFix3.txt 2008-12-14 06:05:03
ComboFix4.txt 2008-12-14 05:56:42
ComboFix5.txt 2008-12-14 15:12:26

Pre-Run: 98,686,623,744 bytes free
Post-Run: 98,682,638,336 bytes free

146


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:01 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2639 bytes

Both log here.

#12 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 14 December 2008 - 11:53 AM

Hi iceman127,

Still there, may be my fault. Try this.

Copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad*

Copy and paste all the text in the quotebox below into it:


KillAll::

File::
c:\docume~1\William\taskmgr.exe


ADS::
C:\windows\system32

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Posted Image

If the image isn't visible Click Here to view.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This reactivates Combofix. Again follow the prompts.

It will create another System restore point.

When finished, it shall produce a log for you at C:\ComboFix.txt

Copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Joe.

Edited by Joe - London, 14 December 2008 - 11:55 AM.

If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#13 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 December 2008 - 02:18 PM

ok here it is:


ComboFix 08-12-12.02 - William 2008-12-15 3:13:49.16 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.742 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\docume~1\William\taskmgr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\William\taskmgr.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-14 23:18 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 19:11 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-04 01:35 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-04 01:35 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft

.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-Task - c:\docume~1\William\taskmgr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 03:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-15 3:16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 19:16:14
ComboFix2.txt 2008-12-14 15:15:13
ComboFix3.txt 2008-12-14 13:15:50
ComboFix4.txt 2008-12-14 06:05:03
ComboFix5.txt 2008-12-14 19:13:32

Pre-Run: 98,642,272,256 bytes free
Post-Run: 98,632,892,416 bytes free

149


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:42 AM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.singnet.com.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2529 bytes


here is the logs.

#14 iceman127

iceman127
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 14 December 2008 - 02:32 PM

A problem have came up. After the Combofix i did whenever i on my computer or reboot it there is always this error:
"Window cannot find 'c:\docume~1\William\taskmgr.exe'. make sure you typed the name correctly, and then try again. To search for a file, click start button, and then click Search.". And its takes quite a while for my log on screen to load to my desktop which nv happened before. Is there a wrong deletion? :thumbsup:

#15 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:28 AM

Posted 14 December 2008 - 02:57 PM

Hi iceman127,

A problem have came up. After the Combofix i did whenever i on my computer or reboot it there is always this error:
"Window cannot find 'c:\docume~1\William\taskmgr.exe'. make sure you typed the name correctly, and then try again. To search for a file, click start button, and then click Search.". And its takes quite a while for my log on screen to load to my desktop which nv happened before. Is there a wrong deletion?

I can't understand why this was in that Directory. The legitimate taskmgr.exe resides in the system32 directory. Does the task manager work? Right click on the task bar and then click task manager. Then click the processes and scroll down and you should see taskmgr.exe.

Post back and let me know what you find.

Obviously windows is searching for the file we deleted but the legitimate one doesn't run at startup anyway. Any information you can provide will help.
Post the complete message.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users