Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected infection: cscript.exe trying to access Internet.


  • Please log in to reply
4 replies to this topic

#1 touchring

touchring

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 22 December 2008 - 07:04 AM

Recently, i've been experiencing cscript.exe trying to access Internet (which is a very unusual behavior and never happened previously).

I detected this when ZoneAlarm captured the attempt (many times previously i discovered trojan this way). Of course, I denied the attempt. My brother's PC just got infected by some virus or trojan - it couldn't even boot up, and he had to reformat his PC, so I decided to investigate just to be safe.

1. Windows task manager reveal some cmd.exe processes running using my logon account and SYSTEM - but does not provide any more information beyond that.

2. Zonealarm log showed cscript.exe trying to access 61.147.116.186:80, dns: dreamoy.cn. This is a china address and highly suspicious, but the fact that zonealarm only captured cscript.exe gives me no further clue which might be the calling application.

3. Avira did not detect anything.

Would greatly appreciate any advice.


DDS.txt:

DDS (Version 1.0.1) - NTFSx86
Run by joshua at 23:44:18.71 on 12/15/2008 Mon
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.936.65.1033.18.2015.1191 [GMT 8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
c:\vgsmweb\apache\Apache.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM\visualgsmwatcher.exe
c:\vgsmweb\apache\Apache.exe
C:\Program Files\MySQL\bin\mysqld-max-nt.exe
C:\Program Files\NetDecision\Bin\ServiceManager.exe
C:\Program Files\NetDecision\Bin\TrafficGrapherServer.exe
C:\WINDOWS\System32\snmptrap.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM-SNMP2SMS\SnmpWatcher.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Breit Technologies\BT Reminder Buddy\BTReminderBuddy.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\joshua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
c:\smpp\InstallService.exe
c:\smpp\InstallService.exe
c:\smpp\InstallService.exe
c:\smpp\InstallService.exe
c:\Program Files\Microsoft SQL Server\MSSQL$VGSM\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$VGSM\Binn\sqlagent.EXE
c:\smpp\InstallService.exe
C:\VisualGSM\email2sms\Email2SMSService.exe
c:\smpp\InstallService.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM\visualgsmserver.exe
c:\smpp\SMPPReceiver.exe
c:\smpp\smppwatcher.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM\VisualGSMSMPP.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\DOCUME~1\joshua\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Documents and Settings\joshua\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icqtoolbar\toolbaru.dll
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\services.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {055FD26D-3A88-4e15-963D-DC8493744B1D} - c:\program files\icqtoolbar\toolbaru.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icqtoolbar\toolbaru.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - c:\program files\icqtoolbar\toolbaru.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [BTReminderBuddyStartUp] c:\program files\breit technologies\bt reminder buddy\BTReminderBuddy.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
uRun: [Google Update] "c:\documents and settings\joshua\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRunOnce: [Copy dlls] c:\visualgsm\temp\patchmanager.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\c2cmon~1.lnk - c:\program files\clicktoconvert\C2CMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link\d-link airplus g+ wireless adapter utility\DWLGTI.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\messag~1.lnk - c:\www\bin\messagemanager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startf~1.lnk - c:\freeradius.net\FreeRADIUS.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tinywe~1.lnk - c:\www\bin\tiny.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com...n/preview.html
IE: 添加到QQ表情 - c:\program files\tencent\qq\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {24EA3B8C-E438-42B3-90D0-6B09D95C5FF6} = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joshua\applic~1\mozilla\firefox\profiles\ea9yxzcd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://visualgsm.com/forums/

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\antivir personaledition classic\avgio.sys [2007-5-28 11840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-15 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-29 394952]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;"c:\program files\antivir personaledition classic\sched.exe" [2007-5-28 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;"c:\program files\antivir personaledition classic\avguard.exe" [2007-5-28 151297]
R2 apachevgsm;apachevgsm;"c:\vgsmweb\apache\Apache.exe" --ntservice [2001-5-17 20480]
R2 dmmain;VisualGSMWatcher;c:\program files\visualtron software corporation\visualgsm\visualgsmwatcher.exe [2008-11-12 481280]
R2 Email2SMS;Email2SMS;c:\visualgsm\email2sms\Email2SMSService.exe [2008-10-15 1054208]
R2 MNSOCKET SMPP Service;MNSOCKET SMPP Service;c:\smpp\SMPPReceiver.exe [2008-11-20 114688]
R2 MNSOCKET SMPP Watcher;MNSOCKET SMPP Watcher;c:\smpp\smppwatcher.exe [2008-11-20 122880]
R2 MSSQL$VGSM;MSSQL$VGSM;c:\program files\microsoft sql server\mssql$vgsm\binn\sqlservr.exe -sVGSM []
R2 ND_ServiceManager;NetDecision Service Manager;"c:\program files\netdecision\bin\ServiceManager.exe" [2008-1-14 11776]
R2 SnmpWatcherService;VisualGSM_SNMP2SMS;c:\program files\visualtron software corporation\visualgsm-snmp2sms\SnmpWatcher.exe [2008-12-12 301568]
R2 visualgsm;VisualGSM;c:\program files\visualtron software corporation\visualgsm\visualgsmserver.exe [2008-11-16 731136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 Alidevice;Alidevice;c:\windows\system32\drivers\Alidevice.sys [2008-7-14 6656]
R3 avgntflt;avgntflt;\??\c:\program files\antivir personaledition classic\avgntflt.sys [2007-5-28 52032]
R3 SQLAgent$VGSM;SQLAgent$VGSM;c:\program files\microsoft sql server\mssql$vgsm\binn\sqlagent.EXE -i VGSM []
R3 TNET1130;D-Link AirPlus G+ Wireless Adapter;c:\windows\system32\drivers\GPlus.sys [2006-10-26 283392]
R3 visualGSMSMPPReceiver;visualGSMSMPPReceiver;c:\program files\visualtron software corporation\visualgsm\VisualGSMSMPP.exe [2008-12-10 1192448]
S2 Text2SMS;VisualGSM_Text2SMS;"c:\program files\visualtron software corporation\visualgsm-text2sms\Text2SMSService.exe" [2004-3-4 415744]
S3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [2005-1-19 6000]
S3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\FUJ02E3.sys [2006-4-2 4864]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\tnslsnr.exe [2006-2-2 204800]
S3 screen-scraper;screen-scraper;"c:\program files\screen-scraper professional edition\wrapper.exe" -s "c:\program files\screen-scraper professional edition\resource\conf\wrapper.conf" []
S3 Serport;iTegno Modem driver;c:\windows\system32\drivers\mdm2iteg.sys [2006-12-18 43136]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE []

============== File Associations ===============

chm.file="hh.exe" %1
txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2008-12-15 23:14 250 a------- c:\windows\gmer.ini
2008-12-15 22:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-15 22:18 <DIR> --d----- c:\program files\Security Task Manager
2008-12-15 19:58 <DIR> --d----- c:\program files\MSECache
2008-12-15 15:31 997 a------- c:\windows\system32\run.vbs
2008-12-15 12:52 0 a------- C:\t1eg.1
2008-12-15 12:52 0 a------- C:\t1eg
2008-12-11 15:16 61 a------- C:\test.pl
2008-12-10 16:55 <DIR> --d----- C:\tmp
2008-12-10 13:46 1,243,136 a------- c:\windows\system32\libqt4intf.dll
2008-12-10 13:39 <DIR> --d----- C:\lazarus
2008-12-08 16:43 <DIR> --d----- C:\vgsmweb
2008-12-08 03:04 274,083 a------- c:\windows\PC Image Editor Uninstaller.exe
2008-12-08 03:04 <DIR> --d----- c:\program files\PC Image Editor
2008-12-08 02:50 <DIR> --d----- c:\docume~1\joshua\applic~1\FastStone
2008-12-05 19:39 0 a------- C:\t2p0.1
2008-12-05 19:39 0 a------- C:\t2p0
2008-12-05 02:15 <DIR> --d----- c:\temp\radserverdemo
2008-12-05 02:14 3,217,039 a------- c:\temp\radserverdemo.zip
2008-12-03 00:43 0 a------- c:\windows\pws.INI
2008-12-02 13:10 <DIR> --d----- c:\windows\system32\Cache
2008-12-02 12:41 1,393 a------- c:\windows\imsins.BAK
2008-12-01 14:06 <DIR> --d----- c:\program files\IrfanView
2008-12-01 14:04 <DIR> --d----- c:\program files\COMPACT
2008-11-28 03:59 <DIR> --d----- c:\program files\Microsoft SQL Server
2008-11-28 01:26 0 a------- C:\t2r8.1
2008-11-28 01:26 0 a------- C:\t2r8
2008-11-28 00:38 157 a------- c:\windows\my.ini
2008-11-28 00:38 <DIR> --d----- c:\program files\MySQL
2008-11-28 00:18 0 a------- C:\t1p4.1
2008-11-28 00:16 0 a------- C:\t1p4
2008-11-26 00:25 <DIR> --d----- c:\program files\ICQ6
2008-11-24 11:09 <DIR> --d----- c:\program files\Shorter Path
2008-11-20 22:02 <DIR> --d----- c:\program files\Tensons
2008-11-20 21:54 2,894,600 a------- C:\CodeGear RAD Studio 2007 v11.0.2902.10471 Architect ENGLISH.iso
2008-11-20 21:25 <DIR> --d----- C:\www
2008-11-20 12:23 <DIR> --d----- C:\smpp
2008-11-20 09:55 34,558,031 a------- c:\temp\setup.exe
2008-11-20 01:59 <DIR> --d----- C:\VisualGSM
2008-11-18 01:28 79,872 a------- c:\windows\system32\frxTee7.bpl
2008-11-18 01:28 23,040 a------- c:\windows\system32\fsTee7.bpl
2008-11-18 01:28 216,576 a------- c:\windows\system32\frxcs7.bpl
2008-11-18 01:28 400,896 a------- c:\windows\system32\frxe7.bpl
2008-11-18 01:27 64,512 a------- c:\windows\system32\frxDBX7.bpl
2008-11-18 01:27 51,712 a------- c:\windows\system32\frxIBX7.bpl
2008-11-18 01:27 53,760 a------- c:\windows\system32\frxADO7.bpl
2008-11-18 01:27 49,152 a------- c:\windows\system32\frxBDE7.bpl
2008-11-18 01:27 101,888 a------- c:\windows\system32\frxDB7.bpl
2008-11-18 01:27 1,749,504 a------- c:\windows\system32\frx7.bpl
2008-11-18 01:27 22,016 a------- c:\windows\system32\fsIBX7.bpl
2008-11-18 01:27 22,016 a------- c:\windows\system32\fsBDE7.bpl
2008-11-18 01:27 20,992 a------- c:\windows\system32\fsADO7.bpl
2008-11-18 01:27 43,008 a------- c:\windows\system32\fsDB7.bpl
2008-11-18 01:27 348,672 a------- c:\windows\system32\fs7.bpl
2008-11-18 01:27 190,464 a------- c:\windows\system32\fqb70.bpl

==================== Find3M ====================

2008-12-15 23:16 55,329,824 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-15 12:50 745,856 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-10-24 19:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 19:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 20:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 20:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:20 129 a------- C:\startvgsm.bat
2008-10-23 00:19 126 a------- C:\stopvgsm.bat
2008-10-21 04:25 26 a------- C:\start.bat
2008-10-17 02:08 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-16 21:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 21:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 00:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 15:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 15:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 18:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 18:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2006-12-05 13:29 563,712 a------- c:\documents and settings\joshua\gotomypc_370.exe
2006-10-26 19:21 164 a------- c:\program files\video.log
2006-10-26 19:19 224 a------- c:\program files\LAN.log
2006-10-26 19:18 190 a------- c:\program files\AGP.log
2006-01-08 02:09 13 a------- c:\program files\IMAGE1.DAT
2004-05-21 16:59 62,865 a------- c:\windows\inf\im\odysseyIM3.sys
2004-05-21 16:59 45,056 a------- c:\windows\inf\im\imdinst.exe
2004-05-21 16:59 12,739 a------- c:\windows\inf\im\odNetInstall.dll

============= FINISH: 23:44:56.92 ===============



Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/26/2006 7:14:00 PM
System Uptime: 12/15/2008 1:52:12 PM (10 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-661FXM-RH
Processor: Intel® Pentium® 4 CPU 2.93GHz | Socket 775 | 2934/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 13.458 GiB free.
D: is FIXED (NTFS) - 35 GiB total, 10.272 GiB free.
E: is CDROM (CDFS)
G: is FIXED (NTFS) - 49 GiB total, 20.711 GiB free.
H: is FIXED (NTFS) - 100 GiB total, 62.346 GiB free.
Y: is NetworkDisk (NTFS) - 5 GiB total, 0.409 GiB free.
Z: is NetworkDisk (NTFS) - 17 GiB total, 7.369 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_E0001458&REV_10\3&61AAA01&1&78
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_E0001458&REV_10\3&61AAA01&1&78
Service: RTL8023xp

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acronis?True?Image
ActivePerl 5.10.0 Build 1002
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Reader Chinese Traditional Fonts
AIM 6
Alarm Clock v1.0
aMiner v2.1.5
Apple Software Update
ASProtect 1.35 Release
Avira AntiVir Personal - Free Antivirus
Borland Delphi 6
Borland Delphi 7
Bricksoft IM VCL Component 6.0.20080428
BT Reminder Buddy
CCleaner (remove only)
Click to Convert 5.5
Compatibility Pack for the 2007 Office system
Core FTP LE 1.3c
Core Lab dbExpress driver for MS SQL 2.50.6
Core Lab dbExpress driver for MySQL 3.00.1
D-Link AirPlus G+ Wireless Adapter Utility
Devart dbExpress driver for SQL Server 4.25.0.10
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EurekaLog 6.0.14 Trial
FastReport 4
FastScript
FileZilla Client 3.1.5.1
Flash Movie Player 1.5
FLV Player
FLV Player 2.0, build 23
Focus Magic 3.02
FreeRADIUS.net
GlassFish V2 UR2
Google Chrome
Google Talk (remove only)
GSiteCrawler
GTK+ Runtime 2.12.8 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
ICQ6
Indy 10 for Delphi 6
Indy 9 for Delphi 6
Infot Database Browser
InstallShield PackageForTheWeb 4
InstallShield X
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java DB 10.3.1.4
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 7
JGsoft EditPad Pro 6 DEMO 6.2.2
Kaspersky Online Scanner
Lazarus 0.9.26
Macromedia Dreamweaver 8
Macromedia Dreamweaver UltraDev 4
Macromedia Extension Manager
madshi's madCollection
Magic DVD Ripper V5.3 build 4
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 SDK - ENU
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Desktop Engine (VGSM)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual J# 2.0 Redistributable Package
Mozilla Firefox (2.0.0.17)
Mozilla Thunderbird (1.5.0.14)
MSN Messenger 6.2
MSN Search Web Service SDK (Beta)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MySQL ODBC 3.51 Driver
MySQL Server 5.0
Nero 7 Essentials
NetBeans IDE 6.1
NetDecision
Nullsoft Install System
Octoshape add-in for Adobe Flash Player
OpenSSL 0.9.8i Light
Opera 9.27
Oracle Database 10g Express Edition
PADGen 2.0.2.30
PC Image Editor
PDF reDirect (remove only)
Pdf995
Pidgin
PowerTCP Mail Tool
PuTTY version 0.53b
QQ2008 正式版
QQ游戏
QuickTime
QuickVCD Player 3.4
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Role Agent for Microsoft Office Live Communications Server 2005
RTC Client API v1.2
RTC Client API v1.3
RTC Client API V1.3 SDK and Samples
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Simple Failover
SiS VGA Utilities
SmartInspect Professional
SoftV92 Data Fax Modem with SmartCP
Sogou Chinese Input (3.3.0.0838)
StuffPlug 3
SureThing CD Labeler Deluxe 4 Trial
Tiff Viewer
ttRobot Standard Edition v1.0 (1.0.2.1)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIGOS Gsitemap 0.97a
VisiBroker for Cpp 4.5
VisualGSM Enterprise
VisualGSM Enterprise Server Addons
VisualGSM Enterprise Server SNMP2SMS Addon
VisualGSM Lite
VNC Free Edition 4.1.2
Web Data Extractor 6.0
WebFldrs XP
whois 2.7
Windows Essentials Media Codec Pack 1.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Messenger 5.1
Windows Mobile? Device Handbook
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
WinSCP 4.0.6
Wireshark 1.0.2
Yahoo! u?|C
Yahoo! Browser Services
Yahoo! Messenger
ZoneAlarm

==== Event Viewer Messages ===================

12/12/2008 9:29:37 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 11 time(s).
12/12/2008 9:26:06 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 10 time(s).
12/12/2008 9:08:32 PM, error: Service Control Manager [7034] - The visualGSMSMPPReceiver service terminated unexpectedly. It has done this 2 time(s).
12/12/2008 9:07:01 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 9 time(s).
12/12/2008 9:05:26 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 8 time(s).
12/12/2008 8:44:45 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 7 time(s).
12/12/2008 8:31:01 PM, error: Service Control Manager [7034] - The visualGSMSMPPReceiver service terminated unexpectedly. It has done this 1 time(s).
12/12/2008 8:30:54 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 6 time(s).
12/12/2008 8:08:44 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 5 time(s).
12/12/2008 7:46:28 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer WEBXEL-86F8B7E0 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{24EA3B8C-E43. The master browser is stopping or an election is being forced.
12/12/2008 7:46:12 PM, error: PSched [14103] - QoS [Adapter {24EA3B8C-E438-42B3-90D0-6B09D95C5FF6}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
12/12/2008 6:09:48 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 4 time(s).
12/12/2008 5:59:46 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 3 time(s).
12/12/2008 5:38:19 PM, error: Service Control Manager [7011] - Timeout (240000 milliseconds) waiting for a transaction response from the service.
12/12/2008 5:37:00 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 2 time(s).
12/12/2008 5:34:19 PM, error: Service Control Manager [7011] - Timeout (240000 milliseconds) waiting for a transaction response from the MNSOCKET SMPP Service service.
12/12/2008 5:12:55 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 1 time(s).
12/12/2008 5:09:00 PM, error: Service Control Manager [7022] - The World Wide Web Publishing Service service hung on starting.
12/12/2008 5:08:28 PM, error: Service Control Manager [7022] - The visualgsm service hung on starting.
12/12/2008 5:06:39 PM, error: DCOM [10020] - The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
12/12/2008 4:36:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
12/12/2008 4:36:00 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.
12/12/2008 4:36:00 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
12/12/2008 4:36:00 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation completed successfully. .
12/12/2008 4:36:00 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2.
12/12/2008 4:36:00 PM, error: SideBySide [61] - Syntax error in manifest or policy file "C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on line 2. The required attribute version is missing from element assemblyIdentity.
12/12/2008 1:08:10 AM, error: NetBT [4321] - The name "VISUALTRON :1d" could not be registered on the Interface with IP address 192.168.0.98. The machine with the IP address 192.168.0.34 did not allow the name to be claimed by this machine.
12/11/2008 5:04:53 PM, error: NetBT [4307] - Initialization failed because the transport refused to open initial Addresses.
12/12/2008 9:49:12 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 12 time(s).
12/12/2008 10:05:25 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 13 time(s).
12/12/2008 10:22:32 PM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 14 time(s).
12/12/2008 10:34:06 PM, error: Service Control Manager [7000] - The visualgsm service failed to start due to the following error: The pipe state is invalid.
12/12/2008 10:34:06 PM, error: Service Control Manager [7034] - The VisualGSMWatcher service terminated unexpectedly. It has done this 1 time(s).
12/13/2008 12:39:00 AM, error: Service Control Manager [7034] - The visualgsm service terminated unexpectedly. It has done this 15 time(s).
12/13/2008 4:29:49 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
12/13/2008 4:29:49 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
12/13/2008 4:29:49 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL. Reference error message: The operation completed successfully. .
12/13/2008 4:29:49 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL. Reference error message: The operation completed successfully. .
12/14/2008 3:37:42 PM, error: Service Control Manager [7009] - Timeout (240000 milliseconds) waiting for the Email2SMS service to connect.
12/14/2008 3:37:42 PM, error: Service Control Manager [7000] - The Email2SMS service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/14/2008 5:39:08 PM, error: Service Control Manager [7009] - Timeout (240000 milliseconds) waiting for the visualGSMSMPPReceiver service to connect.
12/14/2008 5:39:08 PM, error: Service Control Manager [7000] - The visualGSMSMPPReceiver service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/15/2009 1:20:01 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -31535994 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.0.98:123->207.46.197.32:123) is working properly.

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 touchring

touchring
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 22 December 2008 - 12:26 PM

I just completed a quick online scan using kaspersky.

And it detected:

File name Threat name Threats count
C:\WINDOWS\system32\run.vbs Infected: Trojan-Downloader.VBS.Small.gg 1

My regular ANTIVIR did not detect that virus.

I uploaded that file to virustotal and it comes out with the following report:
http://www.virustotal.com/analisis/8d3e3ab...d6c0a2369640dce

Hope this helps. :thumbsup:

#3 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 31 December 2008 - 02:35 AM

Hi ,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then we'll take a look.


Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#4 touchring

touchring
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 01 January 2009 - 07:37 AM

Thanks Rosty, i've attached the latest log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:20 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
c:\vgsmweb\apache\Apache.exe
c:\Program Files\Microsoft SQL Server\MSSQL$VGSM\Binn\sqlservr.exe
c:\vgsmweb\apache\Apache.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NetDecision\Bin\ServiceManager.exe
C:\Program Files\NetDecision\Bin\TrafficGrapherServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM\VisualGSMWatcher.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Breit Technologies\BT Reminder Buddy\BTReminderBuddy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\joshua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\MySQL\bin\mysqld-max-nt.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\cscript.exe
C:\WINDOWS\system32\cscript.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Java\JRE16~4.0_0\bin\java.exe
C:\Program Files\Visualtron Software Corporation\VisualGSM\VisualGSMManager.exe
C:\Program Files\Borland\Delphi6\Bin\delphi32.exe
C:\Program Files\Borland\Delphi7\Bin\delphi32.exe
C:\Program Files\ASProtect 1.35 Release\ASProtect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! ?u??|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! ?u??|C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BTReminderBuddyStartUp] C:\Program Files\Breit Technologies\BT Reminder Buddy\BTReminderBuddy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\joshua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Start FreeRADIUS.net Trayicon.lnk = C:\FreeRADIUS.net\FreeRADIUS.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161765184585
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540001} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {ECCBA953-80E5-11D3-9285-0080ADB811C5} (safeInput Class) - https://pbank.95559.com.cn/netpay/ocx/safe.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...477/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24EA3B8C-E438-42B3-90D0-6B09D95C5FF6}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{24EA3B8C-E438-42B3-90D0-6B09D95C5FF6}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{24EA3B8C-E438-42B3-90D0-6B09D95C5FF6}: NameServer = 192.168.0.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{24EA3B8C-E438-42B3-90D0-6B09D95C5FF6}: NameServer = 192.168.0.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: apachevgsm - Unknown owner - c:\vgsmweb\apache\Apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MNSOCKET SMPP Service - www.mnsocket.com - c:\smpp\SMPPReceiver.exe
O23 - Service: MNSOCKET SMPP Watcher - Unknown owner - c:\smpp\smppwatcher.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\MySQL\bin\mysqld-max-nt.exe
O23 - Service: NetDecision Service Manager (ND_ServiceManager) - Unknown owner - C:\Program Files\NetDecision\Bin\ServiceManager.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: screen-scraper - Unknown owner - C:\Program Files\screen-scraper professional edition\wrapper.exe (file missing)
O23 - Service: VisualGSM_SNMP2SMS (SnmpWatcherService) - Unknown owner - C:\Program Files\Visualtron Software Corporation\VisualGSM-SNMP2SMS\SnmpWatcher.exe
O23 - Service: VisualGSM_Text2SMS (Text2SMS) - Unknown owner - C:\Program Files\Visualtron Software Corporation\VisualGSM-Text2SMS\Text2SMSService.exe
O23 - Service: VisualGSM (visualgsm) - Unknown owner - C:\Program Files\Visualtron Software Corporation\VisualGSM\visualgsmserver.exe
O23 - Service: visualGSMSMPPReceiver - Unknown owner - C:\Program Files\Visualtron Software Corporation\VisualGSM\VisualGSMSMPP.exe
O23 - Service: VisualGSMWatcher (VisualGSMWatcherSvc) - Unknown owner - C:\Program Files\Visualtron Software Corporation\VisualGSM\VisualGSMWatcher.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12368 bytes

#5 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 January 2009 - 02:35 PM

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply, please include:
-The log from Malwarebytes' Anti-Malware.
- A new HijackThis log
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users