Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please - mshta.exe possible trojan?


  • This topic is locked This topic is locked
46 replies to this topic

#1 milofficer

milofficer

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 31 January 2009 - 04:14 AM

Hello all,

I have a problem with mshta.exe. I was surfing the net using IE7 and suddenly got a number of popups. I switched to Firefox, scanned with Avira and Malwarebytes and Spybot and thought i removed the problems. However, I have started to notice that mshta.exe appears in my Task Manager. I've built several XP computers in the past and I have never run into this program before. However, what bothered me was that there are numerous examples of it at one time. I just checked as I am writing this, and there are now 10+ mshta.exe processes running, all under "SYSTEM" and are taking approx 2,600k of memory apiece. I downloaded HTAStop, but this has not solved the problem. When HTAStop is enabled, the mshta process seems capped at 2,600k of memory. When HTAStop is disabled, the memory usage jumps to 12,000k + each.

These processes haven't directly impeded my system's performance, but they are eating my memory. I would like to get to the bottom of the problem asap.

I have read this post from a user who seems to have had the same problem as me, but he didn't post a full solution unfortunately. Mshta post


Any help would be appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 07 February 2009 - 07:05 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 07 February 2009 - 07:06 PM

Mispost

Edited by PropagandaPanda, 07 February 2009 - 07:06 PM.


#4 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 08 February 2009 - 03:48 PM

Do i follow those instructions, PP, or do I disregard and wait?

thanks in advance

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 08 February 2009 - 04:54 PM

Please follow the directions :thumbup2: .

I was replying into another user's topic and posted into this one again.

With Regards,
The Panda

#6 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 01:49 PM

Ok, here's the combofix log, HJT log to follow.


ComboFix 09-02-08.02 - Administrator 2009-02-09 10:41:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2622 [GMT -8:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-06 14:07 . 2009-02-06 14:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Red Alert 3 Demo
2009-02-06 13:59 . 2009-02-06 13:59 <DIR> d-------- c:\program files\PCPitstop
2009-02-03 00:12 . 2009-02-03 00:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-02-02 23:24 . 2009-02-03 00:13 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-02-02 13:25 . 2009-02-05 22:38 184,320 --a------ c:\windows\system32\miccyhook.dll
2009-02-02 02:37 . 2009-02-02 02:37 <DIR> d-------- C:\Team17
2009-01-30 22:51 . 2009-01-30 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 22:50 . 2009-02-03 00:13 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 22:50 . 2009-02-03 00:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-28 21:59 . 2009-01-28 21:59 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-28 21:57 . 2009-01-28 21:57 <DIR> d-------- c:\windows\ERUNT
2009-01-28 21:53 . 2009-01-28 22:08 <DIR> d-------- C:\SDFix
2009-01-21 16:38 . 2009-01-21 16:38 <DIR> d-------- c:\program files\OpenAL
2009-01-21 16:38 . 2006-12-14 19:47 782,336 -ra------ c:\windows\system32\tmp5D.tmp
2009-01-21 16:38 . 2009-01-21 16:38 409,600 --a------ c:\windows\system32\wrap_oal.dll
2009-01-21 16:38 . 2009-01-21 16:38 114,688 --a------ c:\windows\system32\OpenAL32.dll
2009-01-21 16:34 . 2009-01-21 16:34 <DIR> d-------- c:\program files\Atari
2009-01-21 16:18 . 2009-01-21 16:18 <DIR> d-------- c:\program files\Strategy First
2009-01-21 14:50 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-21 14:50 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-21 14:50 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-21 14:50 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-21 14:37 . 2009-01-21 18:05 <DIR> d-------- c:\program files\EA GAMES
2009-01-18 12:29 . 1999-12-21 07:58 21,312 --a------ c:\windows\choice.exe
2009-01-18 12:29 . 2003-06-01 03:45 1,397 --a------ c:\windows\tif-cln.bat
2009-01-15 20:47 . 2009-01-15 20:47 <DIR> d-------- c:\windows\Sun
2009-01-15 19:33 . 2009-01-15 19:33 <DIR> d-------- c:\program files\Jetico
2009-01-15 19:29 . 2003-06-01 03:45 1,421 --a------ c:\windows\tif-del.bat
2009-01-15 19:29 . 2003-06-01 03:45 1,397 --a------ c:\windows\tif-wip.bat
2009-01-15 19:27 . 2003-06-01 03:45 199 --a------ c:\windows\tif-cln.reg
2009-01-15 19:27 . 2003-06-01 03:45 152 --a------ c:\windows\re-tif.bat
2009-01-15 19:26 . 2009-01-15 19:29 <DIR> d-------- C:\tif-cln-nt
2009-01-13 13:55 . 2008-06-20 03:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 13:55 . 2008-06-20 09:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 13:55 . 2008-06-20 03:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 13:55 . 2008-06-20 09:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-12 16:12 . 2009-01-22 23:30 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-12 11:26 . 2009-01-12 11:27 <DIR> d-------- C:\rsit
2009-01-11 23:51 . 2009-01-21 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-01-11 23:51 . 2009-01-11 23:51 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\SecuROM
2009-01-11 23:26 . 2009-01-11 23:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-11 23:26 . 2009-01-11 23:26 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-10 02:13 . 2009-01-10 02:13 94,208 --a------ c:\windows\DIIUnin.exe
2009-01-10 02:13 . 2009-02-06 13:50 35,049 --a------ c:\windows\DIIUnin.dat
2009-01-10 02:13 . 2009-01-10 02:13 2,829 --a------ c:\windows\DIIUnin.pif
2009-01-10 02:06 . 2009-02-06 13:50 <DIR> d-------- c:\program files\Diablo II
2009-01-10 01:54 . 2009-02-05 01:38 <DIR> d-------- c:\program files\SpeedFan
2009-01-10 01:54 . 2009-01-10 01:54 45 --a------ c:\windows\system32\initdebug.nfo
2009-01-10 00:48 . 2009-01-10 00:51 139,264 --a------ c:\windows\War3Unin.exe
2009-01-10 00:48 . 2009-01-10 00:52 76,189 --a------ c:\windows\War3Unin.dat
2009-01-10 00:48 . 2009-01-10 00:51 2,829 --a------ c:\windows\War3Unin.pif
2009-01-10 00:47 . 2009-02-02 02:37 <DIR> d-------- c:\program files\Warcraft III
2009-01-10 00:36 . 2009-01-10 00:36 38 --a------ c:\windows\AviSplitter.INI
2009-01-09 15:00 . 2009-01-09 15:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-09 14:59 . 2009-01-09 14:59 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-09 14:59 . 2009-01-09 14:59 <DIR> d-------- c:\program files\JRE
2009-01-09 14:59 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 14:58 . 2009-01-09 14:59 <DIR> d-------- c:\program files\Java
2009-01-09 14:58 . 2009-01-09 14:58 <DIR> d-------- c:\program files\Common Files\Java
2009-01-09 13:32 . 2009-01-21 18:10 14 --a------ c:\windows\system32\ANIWZCSUSERNAME{D7C46C32-DB92-4654-90A1-25033ACC17B2}
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\program files\D-Link
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\program files\ANI
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-09 13:22 . 2009-02-02 21:57 <DIR> d-------- c:\program files\Microsoft Games
2009-01-09 13:22 . 1998-09-02 00:02 194,320 --a------ c:\windows\system32\qcut.dll
2009-01-09 13:22 . 1998-08-26 20:51 182,032 --a------ c:\windows\system32\dxtmsft3.dll
2009-01-09 13:22 . 1998-08-20 03:02 140,800 --a------ c:\windows\system32\tm20dec.ax
2009-01-09 13:22 . 1998-09-02 00:28 63,488 --a------ c:\windows\system32\unam4ie.exe
2009-01-09 13:22 . 1998-09-02 00:28 38,160 --a------ c:\windows\system32\LMRTREND.dll
2009-01-09 13:22 . 1998-08-17 01:21 11,776 --a------ c:\windows\system32\mciqtz.drv
2009-01-09 13:22 . 1998-08-17 01:21 10,240 --a------ c:\windows\system32\vidx16.dll
2009-01-09 13:22 . 1998-08-17 01:21 5,672 --a------ c:\windows\system32\quartz.vxd
2009-01-09 13:22 . 2009-01-09 13:22 4,608 --a------ c:\windows\system32\w95inf32.dll
2009-01-09 13:22 . 2009-01-09 13:22 2,272 --a------ c:\windows\system32\w95inf16.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 21:57 --------- d-----w c:\program files\Electronic Arts
2009-02-05 09:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 09:40 --------- d-----w c:\program files\SpywareBlaster
2009-02-03 08:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 08:12 --------- d-----w c:\program files\Comodo
2009-02-02 12:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 12:06 --------- d-----w c:\program files\Ubisoft
2009-01-29 07:19 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-29 06:14 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-22 00:22 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 05:27 275,184 ----a-w c:\windows\BCUnInstall.exe
2009-01-13 02:31 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-12 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-01-11 06:59 1,435,648 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-01-06 03:10 --------- d-----w c:\program files\Zone Labs
2009-01-05 05:00 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-05 04:45 --------- d-----w c:\program files\Rockstar Games
2009-01-05 01:49 --------- d-----w c:\program files\Reference Assemblies
2009-01-05 01:30 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2009-01-05 01:30 --------- d-----w c:\program files\Alcohol Soft
2009-01-05 01:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 01:18 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2009-01-05 01:14 611,064 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-04 22:02 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-01-04 21:53 --------- d-----w c:\program files\Avira
2009-01-04 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-01-04 21:07 --------- d-----w c:\program files\XP Codec Pack
2009-01-04 21:07 --------- d-----w c:\program files\VideoLAN
2009-01-04 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\Media Center Programs
2009-01-04 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 20:55 --------- d-----w c:\program files\THQ
2009-01-04 20:39 --------- d-----w c:\program files\Valve
2009-01-04 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 20:36 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-04 08:34 --------- d-----w c:\program files\MSXML 4.0
2009-01-04 08:15 --------- d-----w c:\program files\Microsoft
2009-01-04 08:14 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-04 08:14 --------- d-----w c:\program files\Windows Live
2009-01-04 08:05 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-04 08:03 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-04 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-03 11:22 --------- d-----w c:\program files\Realtek
2009-01-03 10:45 --------- d-----w c:\program files\NVIDIA Corporation
2009-01-03 10:42 --------- d-----w c:\program files\AGEIA Technologies
2009-01-03 10:22 --------- d-----w c:\program files\microsoft frontpage
2009-01-03 10:19 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-27 01:27 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2008-12-27 00:20 18,081,280 ----a-w c:\windows\RTHDCPL.EXE
2008-12-19 15:15 4,338,246 ----a-w c:\windows\system32\libavcodec.dll
2008-12-18 22:32 34,816 ----a-w c:\windows\system32\RtkCoInstXP.dll
2008-12-17 17:41 884,237 ----a-w c:\windows\system32\ff_x264.dll
2008-12-17 17:22 93,184 ----a-w c:\windows\system32\ff_wmv9.dll
2008-12-17 17:22 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-17 17:17 239,247 ----a-w c:\windows\system32\ff_theora.dll
2008-12-17 16:59 560,802 ----a-w c:\windows\system32\libmplayer.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-03 06:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-11-29 20:26 991,232 ----a-w c:\windows\system32\VSFilter.dll
2008-11-13 23:18 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((( snapshot_2009-02-03_ 0.50.49.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 00:41:34 372,736 ----a-w c:\windows\Resources\Themes\Shell\Metallic\Shellstyle.dll
+ 2004-08-26 00:41:32 372,736 ----a-w c:\windows\Resources\Themes\Shell\NormalColor\metal_ss.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2007-01-19 11:49 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCWipeTM Startup]
--a------ 2008-09-03 22:06 545520 c:\program files\Jetico\BCWipe\BCWipeTM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
--a------ 2007-11-12 09:49 1662976 c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RE-TIF]
--a------ 2003-06-01 03:45 152 c:\windows\re-tif.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2009-01-04 20:46 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2008-06-19 16:42 2808832 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-12-26 16:20 18081280 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2007-11-20 18:15 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2008-08-19 13:26 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlus® Helper"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"NVSvc"=2 (0x2)
"nSvcIp"=2 (0x2)
"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)
"jswpsapi"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"wuauserv"=2 (0x2)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"D-Link RangeBooster G WUA-2340"=c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Atari\\ArmA\\arma.exe"=

R1 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2008-11-13 91496]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-01-03 377920]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-01-09 57376]
S4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [2009-01-09 352338]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lsva6ewr.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 10:44:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:42,6c,8c,07,0e,1d,d0,0e,91,3e,10,7d,df,4e,eb,a5,2a,ce,6e,44,05,a2,ee,
ee,b7,f4,c9,52,0d,68,1f,ce,44,86,2b,01,4f,03,42,92,e8,03,25,45,6a,ca,dc,0d,\
"??"=hex:af,63,fb,89,8e,62,66,4a,80,2b,73,32,e4,ee,9e,94

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:89,ab,92,7c,12,6c,03,2e,57,0e,24,15,fe,36,50,d1,ae,2b,da,ef,8a,
4c,44,a6,a4,97,03,64,c7,1f,ab,62,46,b8,06,3b,40,ae,a0,71,0e,a9,d3,fe,90,92,\
"rkeysecu"=hex:d9,d3,7e,a3,f2,3a,76,78,82,a5,27,d1,6f,32,c7,5f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\nvLsp.dll
.
Completion time: 2009-02-09 10:45:23
ComboFix-quarantined-files.txt 2009-02-09 18:45:22
ComboFix2.txt 2009-02-03 08:51:18
ComboFix3.txt 2009-01-05 04:09:02

Pre-Run: 388,592,840,704 bytes free
Post-Run: 388,587,937,792 bytes free

290 --- E O F --- 2009-01-15 02:42:20

#7 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 02:07 PM

I should add that I've noticed a few more oddities - Yesterday I heard a few random alert noises (the same tone when you close a task in task manager). There was no popup window or anything, just the noise. I didn't see any related processes that would explain the reason.

Also, from time to time, xp starts to list my recent documents in the start menu. I have disabled it twice in start menu properties, but it gets re-enabled for some reason. i've never seen that before.

In addition, the IE7 icon somehow creates a shortcut for itself on the desktop for no reason. I use Firefox exclusively now and i havent used IE7 since these problems started. once i delete the shortcut and open firefox, i find that it is no longer the default browser. Also, there's a txt file on the desktop that appears next to the IE7 logo, called 'catchme' and it seemed to have some quasi-spyware log stuff in it. unfortunately i forgot to copy the contents and post it here.

#8 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 02:10 PM

HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:00 AM, on 09/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230982198812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230982194593
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4165 bytes

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 09 February 2009 - 03:49 PM

Hello.

Yesterday I heard a few random alert noises (the same tone when you close a task in task manager).

I'm not sure what that sound is (my sound is disabled). I've seen a few users with this issue, though we weren't able to find what was causing it.

In addition, the IE7 icon somehow creates a shortcut for itself on the desktop for no reason. I use Firefox exclusively now and i havent used IE7 since these problems started. once i delete the shortcut and open firefox, i find that it is no longer the default browser. Also, there's a txt file on the desktop that appears next to the IE7 logo, called 'catchme' and it seemed to have some quasi-spyware log stuff in it. unfortunately i forgot to copy the contents and post it here.

ComboFix may have created the IE shortcut.

Not sure where catchme came from, but it is used in malware removal. Have you run other tools?

Let's clean up some leftovers.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/199445/help-please-mshtaexe-possible-trojan/
    
    Suspect::[59]
    c:\windows\system32\drivers\bcswap.sys
    
    File::
    c:\windows\system32\miccyhook.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me that samples were uploaded.

F-Secure Online Scan
Please run F-Secure Online Scanner to check for anything we've missed.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#10 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 05:25 PM

updated Combofix log: (files were uploaded)

ComboFix 09-02-08.02 - Administrator 2009-02-09 13:35:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2505 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\miccyhook.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\miccyhook.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-06 14:07 . 2009-02-06 14:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Red Alert 3 Demo
2009-02-06 13:59 . 2009-02-06 13:59 <DIR> d-------- c:\program files\PCPitstop
2009-02-03 00:12 . 2009-02-03 00:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-02-02 23:24 . 2009-02-03 00:13 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-02-02 02:37 . 2009-02-02 02:37 <DIR> d-------- C:\Team17
2009-01-30 22:51 . 2009-01-30 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 22:50 . 2009-02-03 00:13 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 22:50 . 2009-02-03 00:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-28 21:59 . 2009-01-28 21:59 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-28 21:57 . 2009-01-28 21:57 <DIR> d-------- c:\windows\ERUNT
2009-01-28 21:53 . 2009-01-28 22:08 <DIR> d-------- C:\SDFix
2009-01-21 16:38 . 2009-01-21 16:38 <DIR> d-------- c:\program files\OpenAL
2009-01-21 16:38 . 2006-12-14 19:47 782,336 -ra------ c:\windows\system32\tmp5D.tmp
2009-01-21 16:38 . 2009-01-21 16:38 409,600 --a------ c:\windows\system32\wrap_oal.dll
2009-01-21 16:38 . 2009-01-21 16:38 114,688 --a------ c:\windows\system32\OpenAL32.dll
2009-01-21 16:34 . 2009-01-21 16:34 <DIR> d-------- c:\program files\Atari
2009-01-21 16:18 . 2009-01-21 16:18 <DIR> d-------- c:\program files\Strategy First
2009-01-21 14:50 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-21 14:50 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-21 14:50 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-21 14:50 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-21 14:37 . 2009-01-21 18:05 <DIR> d-------- c:\program files\EA GAMES
2009-01-18 12:29 . 1999-12-21 07:58 21,312 --a------ c:\windows\choice.exe
2009-01-18 12:29 . 2003-06-01 03:45 1,397 --a------ c:\windows\tif-cln.bat
2009-01-15 20:47 . 2009-01-15 20:47 <DIR> d-------- c:\windows\Sun
2009-01-15 19:33 . 2009-01-15 19:33 <DIR> d-------- c:\program files\Jetico
2009-01-15 19:29 . 2003-06-01 03:45 1,421 --a------ c:\windows\tif-del.bat
2009-01-15 19:29 . 2003-06-01 03:45 1,397 --a------ c:\windows\tif-wip.bat
2009-01-15 19:27 . 2003-06-01 03:45 199 --a------ c:\windows\tif-cln.reg
2009-01-15 19:27 . 2003-06-01 03:45 152 --a------ c:\windows\re-tif.bat
2009-01-15 19:26 . 2009-01-15 19:29 <DIR> d-------- C:\tif-cln-nt
2009-01-13 13:55 . 2008-06-20 03:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 13:55 . 2008-06-20 09:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 13:55 . 2008-06-20 03:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 13:55 . 2008-06-20 09:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-12 16:12 . 2009-01-22 23:30 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-12 11:26 . 2009-01-12 11:27 <DIR> d-------- C:\rsit
2009-01-11 23:51 . 2009-01-21 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-01-11 23:51 . 2009-01-11 23:51 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\SecuROM
2009-01-11 23:26 . 2009-01-11 23:26 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-11 23:26 . 2009-01-11 23:26 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-10 02:13 . 2009-01-10 02:13 94,208 --a------ c:\windows\DIIUnin.exe
2009-01-10 02:13 . 2009-02-06 13:50 35,049 --a------ c:\windows\DIIUnin.dat
2009-01-10 02:13 . 2009-01-10 02:13 2,829 --a------ c:\windows\DIIUnin.pif
2009-01-10 02:06 . 2009-02-09 11:11 <DIR> d-------- c:\program files\Diablo II
2009-01-10 01:54 . 2009-02-05 01:38 <DIR> d-------- c:\program files\SpeedFan
2009-01-10 01:54 . 2009-01-10 01:54 45 --a------ c:\windows\system32\initdebug.nfo
2009-01-10 00:48 . 2009-01-10 00:51 139,264 --a------ c:\windows\War3Unin.exe
2009-01-10 00:48 . 2009-01-10 00:52 76,189 --a------ c:\windows\War3Unin.dat
2009-01-10 00:48 . 2009-01-10 00:51 2,829 --a------ c:\windows\War3Unin.pif
2009-01-10 00:47 . 2009-02-02 02:37 <DIR> d-------- c:\program files\Warcraft III
2009-01-10 00:36 . 2009-01-10 00:36 38 --a------ c:\windows\AviSplitter.INI
2009-01-09 15:00 . 2009-01-09 15:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-09 14:59 . 2009-01-09 14:59 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-09 14:59 . 2009-01-09 14:59 <DIR> d-------- c:\program files\JRE
2009-01-09 14:59 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 14:58 . 2009-01-09 14:59 <DIR> d-------- c:\program files\Java
2009-01-09 14:58 . 2009-01-09 14:58 <DIR> d-------- c:\program files\Common Files\Java
2009-01-09 13:32 . 2009-01-21 18:10 14 --a------ c:\windows\system32\ANIWZCSUSERNAME{D7C46C32-DB92-4654-90A1-25033ACC17B2}
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\program files\D-Link
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\program files\ANI
2009-01-09 13:31 . 2009-01-09 13:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-09 13:22 . 2009-02-02 21:57 <DIR> d-------- c:\program files\Microsoft Games
2009-01-09 13:22 . 1998-09-02 00:02 194,320 --a------ c:\windows\system32\qcut.dll
2009-01-09 13:22 . 1998-08-26 20:51 182,032 --a------ c:\windows\system32\dxtmsft3.dll
2009-01-09 13:22 . 1998-08-20 03:02 140,800 --a------ c:\windows\system32\tm20dec.ax
2009-01-09 13:22 . 1998-09-02 00:28 63,488 --a------ c:\windows\system32\unam4ie.exe
2009-01-09 13:22 . 1998-09-02 00:28 38,160 --a------ c:\windows\system32\LMRTREND.dll
2009-01-09 13:22 . 1998-08-17 01:21 11,776 --a------ c:\windows\system32\mciqtz.drv
2009-01-09 13:22 . 1998-08-17 01:21 10,240 --a------ c:\windows\system32\vidx16.dll
2009-01-09 13:22 . 1998-08-17 01:21 5,672 --a------ c:\windows\system32\quartz.vxd
2009-01-09 13:22 . 2009-01-09 13:22 4,608 --a------ c:\windows\system32\w95inf32.dll
2009-01-09 13:22 . 2009-01-09 13:22 2,272 --a------ c:\windows\system32\w95inf16.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 21:57 --------- d-----w c:\program files\Electronic Arts
2009-02-05 09:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 09:40 --------- d-----w c:\program files\SpywareBlaster
2009-02-03 08:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 08:12 --------- d-----w c:\program files\Comodo
2009-02-02 12:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 12:06 --------- d-----w c:\program files\Ubisoft
2009-01-29 07:19 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-29 06:14 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-22 00:22 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-15 00:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 05:27 275,184 ----a-w c:\windows\BCUnInstall.exe
2009-01-13 02:31 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-12 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-01-11 06:59 1,435,648 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-01-06 03:10 --------- d-----w c:\program files\Zone Labs
2009-01-05 05:00 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-05 04:45 --------- d-----w c:\program files\Rockstar Games
2009-01-05 01:49 --------- d-----w c:\program files\Reference Assemblies
2009-01-05 01:30 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2009-01-05 01:30 --------- d-----w c:\program files\Alcohol Soft
2009-01-05 01:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-05 01:18 --------- dc-h--w c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2009-01-05 01:14 611,064 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-04 22:02 --------- d-----w c:\documents and settings\Administrator\Application Data\vlc
2009-01-04 21:53 --------- d-----w c:\program files\Avira
2009-01-04 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-01-04 21:07 --------- d-----w c:\program files\XP Codec Pack
2009-01-04 21:07 --------- d-----w c:\program files\VideoLAN
2009-01-04 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\Media Center Programs
2009-01-04 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 20:55 --------- d-----w c:\program files\THQ
2009-01-04 20:39 --------- d-----w c:\program files\Valve
2009-01-04 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 20:36 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-04 08:34 --------- d-----w c:\program files\MSXML 4.0
2009-01-04 08:15 --------- d-----w c:\program files\Microsoft
2009-01-04 08:14 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-04 08:14 --------- d-----w c:\program files\Windows Live
2009-01-04 08:05 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-04 08:03 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-04 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-03 11:22 --------- d-----w c:\program files\Realtek
2009-01-03 10:45 --------- d-----w c:\program files\NVIDIA Corporation
2009-01-03 10:42 --------- d-----w c:\program files\AGEIA Technologies
2009-01-03 10:22 --------- d-----w c:\program files\microsoft frontpage
2009-01-03 10:19 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-27 01:27 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2008-12-27 00:20 18,081,280 ----a-w c:\windows\RTHDCPL.EXE
2008-12-19 15:15 4,338,246 ----a-w c:\windows\system32\libavcodec.dll
2008-12-18 22:32 34,816 ----a-w c:\windows\system32\RtkCoInstXP.dll
2008-12-17 17:41 884,237 ----a-w c:\windows\system32\ff_x264.dll
2008-12-17 17:22 93,184 ----a-w c:\windows\system32\ff_wmv9.dll
2008-12-17 17:22 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-17 17:17 239,247 ----a-w c:\windows\system32\ff_theora.dll
2008-12-17 16:59 560,802 ----a-w c:\windows\system32\libmplayer.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-03 06:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-11-29 20:26 991,232 ----a-w c:\windows\system32\VSFilter.dll
2008-11-13 23:18 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((( snapshot_2009-02-03_ 0.50.49.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 00:41:34 372,736 ----a-w c:\windows\Resources\Themes\Shell\Metallic\Shellstyle.dll
+ 2004-08-26 00:41:32 372,736 ----a-w c:\windows\Resources\Themes\Shell\NormalColor\metal_ss.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2007-01-19 11:49 49152 c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCWipeTM Startup]
--a------ 2008-09-03 22:06 545520 c:\program files\Jetico\BCWipe\BCWipeTM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
--a------ 2007-11-12 09:49 1662976 c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RE-TIF]
--a------ 2003-06-01 03:45 152 c:\windows\re-tif.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2009-01-04 20:46 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2008-06-19 16:42 2808832 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-12-26 16:20 18081280 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2007-11-20 18:15 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2008-08-19 13:26 77824 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlus® Helper"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"NVSvc"=2 (0x2)
"nSvcIp"=2 (0x2)
"ForceWare Intelligent Application Manager (IAM)"=2 (0x2)
"jswpsapi"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"wuauserv"=2 (0x2)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"D-Link RangeBooster G WUA-2340"=c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Atari\\ArmA\\arma.exe"=

R1 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2008-11-13 91496]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2009-01-03 377920]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-01-09 57376]
S4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [2009-01-09 352338]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lsva6ewr.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 13:35:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:42,6c,8c,07,0e,1d,d0,0e,91,3e,10,7d,df,4e,eb,a5,2a,ce,6e,44,05,a2,ee,
ee,b7,f4,c9,52,0d,68,1f,ce,44,86,2b,01,4f,03,42,92,e8,03,25,45,6a,ca,dc,0d,\
"??"=hex:af,63,fb,89,8e,62,66,4a,80,2b,73,32,e4,ee,9e,94

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:89,ab,92,7c,12,6c,03,2e,57,0e,24,15,fe,36,50,d1,ae,2b,da,ef,8a,
4c,44,a6,a4,97,03,64,c7,1f,ab,62,46,b8,06,3b,40,ae,a0,71,0e,a9,d3,fe,90,92,\
"rkeysecu"=hex:d9,d3,7e,a3,f2,3a,76,78,82,a5,27,d1,6f,32,c7,5f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\nvLsp.dll
.
Completion time: 2009-02-09 13:36:17
ComboFix-quarantined-files.txt 2009-02-09 21:36:15
ComboFix2.txt 2009-02-09 18:45:24
ComboFix3.txt 2009-02-03 08:51:18
ComboFix4.txt 2009-01-05 04:09:02

Pre-Run: 388,560,961,536 bytes free
Post-Run: 388,549,140,480 bytes free

292 --- E O F --- 2009-01-15 02:42:20

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 09 February 2009 - 05:29 PM

Hello.

Please proceed with the F-Secure scan.

The Panda

#12 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 05:55 PM

F-Secure report:

Scanning Report
Monday, February 09, 2009 14:34:03 - 14:54:06

Computer name: GALACTICA
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 1 malware found
TrackingCookie.Webtrends (spyware)

* System

Statistics
Scanned:

* Files: 21189
* System: 2979
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_2G3IFTBAKG0NSHGYJFR4
* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_2G3IFTBAKG0NSHGYJFR4-JOURNAL
* C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\ETILQS_WUI2PQD3CUBHSBYPQ8NJ

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-09
* F-Secure AVP: 7.0.171, 2009-02-09
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 09 February 2009 - 07:24 PM

Hello.

Looks good.

Just a note before I forget: ComboFix also sets IE as the default browser.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Please take a new DDS log after.

With Regards,
The Panda

#14 milofficer

milofficer
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 09 February 2009 - 09:24 PM

Downloaded the latest java; however, I am unable to start automatic updates. i've tried all the usual ways. When i double click on automatic updates in services.msc, and select the 'log on' tab, the hardware profile is already set to 'enable' (as per other help articles i've read). I still can't get the service to start. the error i recieve is:

Error 1508: The service cannot be started, either because the it is disabled or because it has no enabled devices associated with it

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 AM

Posted 10 February 2009 - 08:22 AM

Hello.

In Services.msc, double click Automatic Updates.
In the General tab, change the Startup Type to Automatic. Cick Apply.
Try to start the service again.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users