Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - please help


  • This topic is locked This topic is locked
23 replies to this topic

#1 martyn

martyn

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2009 - 12:06 PM

My parents computer seems to have had some adware/spyware dropped onto it.
Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02:13, on 26/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\NavNT\defwatch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\nfra.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nfra] c:\windows\nfra.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O20 - Winlogon Notify: __c00C87CA - C:\WINDOWS\system32\__c00C87CA.dat
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8870 bytes

BC AdBot (Login to Remove)

 


#2 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2009 - 12:11 PM

netstat -b shows
Active Connections

Proto Local Address Foreign Address State PID
TCP home1:1092 by1msg2175307.phx.gbl:1863 ESTABLISHED 3268

[MsnMsgr.Exe]

TCP home1:2478 82.98.193.167:http ESTABLISHED 3376
[nfra.exe]

TCP home1:2480 82.98.193.167:http ESTABLISHED 3376
[nfra.exe]

TCP home1:2479 localhost:7070 ESTABLISHED 3636
[IEXPLORE.EXE]

TCP home1:7070 localhost:2479 ESTABLISHED 3376
[nfra.exe]

TCP home1:2477 localhost:7070 FIN_WAIT_2 3636
[IEXPLORE.EXE]

TCP home1:7070 localhost:2477 CLOSE_WAIT 3376
[nfra.exe]

TCP home1:7070 localhost:2405 TIME_WAIT 0
TCP home1:7070 localhost:2473 TIME_WAIT 0
TCP home1:7070 localhost:2417 TIME_WAIT 0
TCP home1:7070 localhost:2437 TIME_WAIT 0
TCP home1:7070 localhost:2393 TIME_WAIT 0
TCP home1:7070 localhost:2449 TIME_WAIT 0
TCP home1:7070 localhost:2453 TIME_WAIT 0
TCP home1:7070 localhost:2461 TIME_WAIT 0
TCP home1:7070 localhost:2381 TIME_WAIT 0
TCP home1:7070 localhost:2365 TIME_WAIT 0
TCP home1:7070 localhost:2385 TIME_WAIT 0
TCP home1:7070 localhost:2445 TIME_WAIT 0
TCP home1:7070 localhost:2426 TIME_WAIT 0
TCP home1:7070 localhost:2350 TIME_WAIT 0
TCP home1:7070 localhost:2430 TIME_WAIT 0
TCP home1:7070 localhost:2346 TIME_WAIT 0
TCP home1:7070 localhost:2378 TIME_WAIT 0
TCP home1:7070 localhost:2450 TIME_WAIT 0
TCP home1:7070 localhost:2406 TIME_WAIT 0
TCP home1:7070 localhost:2394 TIME_WAIT 0
TCP home1:7070 localhost:2418 TIME_WAIT 0
TCP home1:7070 localhost:2459 TIME_WAIT 0
TCP home1:7070 localhost:2475 TIME_WAIT 0
TCP home1:7070 localhost:2355 TIME_WAIT 0
TCP home1:7070 localhost:2397 TIME_WAIT 0
TCP home1:7070 localhost:2411 TIME_WAIT 0
TCP home1:7070 localhost:2439 TIME_WAIT 0
TCP home1:7070 localhost:2403 TIME_WAIT 0
TCP home1:7070 localhost:2359 TIME_WAIT 0
TCP home1:7070 localhost:2383 TIME_WAIT 0
TCP home1:7070 localhost:2391 TIME_WAIT 0
TCP home1:7070 localhost:2443 TIME_WAIT 0
TCP home1:7070 localhost:2367 TIME_WAIT 0
TCP home1:7070 localhost:2363 TIME_WAIT 0
TCP home1:7070 localhost:2435 TIME_WAIT 0
TCP home1:7070 localhost:2423 TIME_WAIT 0
TCP home1:7070 localhost:2371 TIME_WAIT 0
TCP home1:7070 localhost:2375 TIME_WAIT 0
TCP home1:7070 localhost:2387 TIME_WAIT 0
TCP home1:7070 localhost:2467 TIME_WAIT 0
TCP home1:7070 localhost:2463 TIME_WAIT 0
TCP home1:7070 localhost:2415 TIME_WAIT 0
TCP home1:7070 localhost:2455 TIME_WAIT 0
TCP home1:7070 localhost:2447 TIME_WAIT 0
TCP home1:7070 localhost:2471 TIME_WAIT 0
TCP home1:7070 localhost:2399 TIME_WAIT 0
TCP home1:7070 localhost:2456 TIME_WAIT 0
TCP home1:7070 localhost:2352 TIME_WAIT 0
TCP home1:7070 localhost:2388 TIME_WAIT 0
TCP home1:7070 localhost:2412 TIME_WAIT 0
TCP home1:7070 localhost:2376 TIME_WAIT 0
TCP home1:7070 localhost:2356 TIME_WAIT 0
TCP home1:7070 localhost:2468 TIME_WAIT 0
TCP home1:7070 localhost:2372 TIME_WAIT 0
TCP home1:7070 localhost:2348 TIME_WAIT 0
TCP home1:7070 localhost:2400 TIME_WAIT 0
TCP home1:7070 localhost:2465 TIME_WAIT 0
TCP home1:7070 localhost:2429 TIME_WAIT 0
TCP home1:7070 localhost:2369 TIME_WAIT 0
TCP home1:7070 localhost:2421 TIME_WAIT 0
TCP home1:7070 localhost:2409 TIME_WAIT 0
TCP home1:7070 localhost:2361 TIME_WAIT 0
TCP home1:7070 localhost:2441 TIME_WAIT 0
TCP home1:7070 localhost:2425 TIME_WAIT 0
TCP home1:7070 localhost:2431 TIME_WAIT 0

I have unticked the use proxy now in IE.

#3 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2009 - 12:28 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

24/02/2009 18:29:07
mbam-log-2009-02-24 (18-29-07).txt

Scan type: Quick Scan
Objects scanned: 126749
Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 11 March 2009 - 02:22 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 12 March 2009 - 05:34 AM

Hi Panda, thanks for the help.

The only change I made is to keep disabling the proxy settings in IE before visiting sites.

Combofix log below,
ComboFix 09-03-10.03 - lyn 2009-03-12 10:22:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.154 [GMT 0:00]
Running from: c:\documents and settings\lyn\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\nfra.exe
c:\windows\system32\__c00C87CA.dat

----- BITS: Possible infected sites -----

hxxp://auf-jeder.com
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-02-26 17:01 . 2009-02-26 17:01 <DIR> d-------- c:\program files\Trend Micro
2009-02-26 16:53 . 2009-02-26 16:53 <DIR> d-------- c:\documents and settings\alan\Application Data\Malwarebytes
2009-02-24 18:00 . 2009-02-24 18:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 18:00 . 2009-02-24 18:00 <DIR> d-------- c:\documents and settings\lyn\Application Data\Malwarebytes
2009-02-24 18:00 . 2009-02-24 18:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 18:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 18:00 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-24 17:37 . 2009-02-24 17:37 <DIR> d-------- c:\windows\ime
2009-02-24 17:36 . 2009-02-24 17:36 0 --a------ c:\windows\system32\nfr.assembly
2009-02-24 17:20 . 2009-02-24 17:20 <DIR> d-------- c:\windows\junk
2009-02-19 13:52 . 2008-04-14 00:12 26,112 --a------ c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 17:36 --------- d-----w c:\program files\Google
2009-02-19 13:54 --------- d-----w c:\program files\NavNT
2002-02-19 11:41 676,668 ----a-w c:\documents and settings\alan\ghost.exe
2002-02-19 10:41 428,920 ----a-w c:\documents and settings\alan\ghstwalk.exe
2001-11-30 09:36 270,768 ----a-w c:\documents and settings\alan\gdisk.exe
2008-10-24 09:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102420081025\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PPWebCap"="d:\program files\ScanSoft\PaperPort\PPWebCap.exe" [2001-10-15 43008]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-29 7626752]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"AspireService"="c:\program files\Acer\Acer eMode Management\AspireService.exe" [2006-08-12 110592]
"MediaSync"="c:\program files\Acer\Acer eConsole\MediaSync.exe" [2006-07-06 425984]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2006-07-27 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-21 77824]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2002-09-24 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"nwiz"="nwiz.exe" [2007-01-29 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-11 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:nfra
"7070:TCP"= 7070:TCP:nfra

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-nfra - c:\windows\nfra.exe
HKLM-Run-IMJPMIG8.1 - c:\windows\IME\imjp8_1\IMJPMIG.EXE
HKLM-Run-IMEKRMIG6.1 - c:\windows\ime\imkr6_1\IMEKRMIG.EXE
Notify-__c00C87CA - c:\windows\system32\__c00C87CA.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = http=localhost:7070
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 10:28:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Acer\Acer eConsole\MediaServerService.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-12 10:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 10:30:32

Pre-Run: 6,649,475,072 bytes free
Post-Run: 22,213,754,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

154 --- E O F --- 2009-02-26 16:43:12

#6 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 12 March 2009 - 05:59 AM

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-03-12 10:57:08
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2032] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3180] kernel32.dll!CreateProcessW 7C802336 5 Bytes CALL 031F16B0 C:\WINDOWS\system32\APISlice.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes CALL 031F16B0 C:\WINDOWS\system32\APISlice.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3180] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3180] SHELL32.dll!DragQueryFileW 7CA18356 5 Bytes CALL 031F16B0 C:\WINDOWS\system32\APISlice.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3180] SHELL32.dll!DragQueryFile 7CA77D36 5 Bytes CALL 031F16B0 C:\WINDOWS\system32\APISlice.dll

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\alan\Favorites\Halifax - Investments - Fund Prices and Performance.url:favicon
ADS C:\Documents and Settings\alan\Favorites\john re blair\BBC NEWS In Pictures.url:favicon
ADS C:\Documents and Settings\alan\Favorites\john re blair\Goodbye Tony Blair, hello Gordon Brown Politics guardian.co.uk.url:favicon
ADS C:\Documents and Settings\alan\Favorites\woodturning\Image resizing, do it with PIXresizer.url:favicon
ADS C:\Documents and Settings\lyn\Desktop\MFInstall.exe:SummaryInformation
ADS C:\Documents and Settings\lyn\Desktop\MFInstall.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\lyn\Favorites\Council Tax Cashback Get 1000s rebated by forcing a rebanding.url:favicon
ADS C:\Documents and Settings\lyn\Favorites\FamilySearch Internet Genealogy Service.url:favicon
ADS C:\Documents and Settings\lyn\Favorites\Health\Disability Living Allowance and Attendance Allowance self assessment and information service.url:favicon
ADS C:\Documents and Settings\lyn\Favorites\holidays\Bed and Breakfast in England on AboutBritain.com.url:favicon
ADS C:\Documents and Settings\lyn\Favorites\holidays\http--www.enjoyengland.com-Images-Guest%20Accommodation%20Leaflet%20final_tcm21-62937.pdf.url:favicon
ADS ...

---- EOF - GMER 1.0.12 ----

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 12 March 2009 - 07:24 AM

Hello.

Let's see what we can do.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\stu2.exe
    
    Dirlook::
    c:\windows\junk
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "80:TCP"=-
    "7070:TCP"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
How is it running now?

With Regards,
The Panda

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 18 March 2009 - 09:15 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 18 March 2009 - 05:11 PM

Reopened.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 27 March 2009 - 07:13 AM

You still there?

#11 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 March 2009 - 03:29 PM

running logs now :thumbup2:

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 27 March 2009 - 03:38 PM

Okay.

#13 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 March 2009 - 03:53 PM

ComboFix 09-03-26.03 - lyn 2009-03-27 20:33:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.191 [GMT 0:00]
Running from: c:\documents and settings\lyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lyn\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\stu2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\stu2.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-12 10:36 . 2009-03-12 10:36 250 --a------ c:\windows\gmer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 17:01 --------- d-----w c:\program files\Trend Micro
2009-02-26 16:53 --------- d-----w c:\documents and settings\alan\Application Data\Malwarebytes
2009-02-24 18:00 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-24 18:00 --------- d-----w c:\documents and settings\lyn\Application Data\Malwarebytes
2009-02-24 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 17:36 --------- d-----w c:\program files\Google
2009-02-19 13:54 --------- d-----w c:\program files\NavNT
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2002-09-24 08:24 61,440 ----a-w c:\windows\inf\i386\onetUSD.dll
2002-08-19 07:46 36,864 ----a-w c:\windows\inf\i386\Vizmicro.dll
2002-05-16 09:21 286,720 ----a-w c:\windows\inf\i386\rtscan.dll
2002-05-16 09:20 172,032 ----a-w c:\windows\inf\i386\viceo.dll
2002-02-19 11:41 676,668 ----a-w c:\documents and settings\alan\ghost.exe
2002-02-19 10:41 428,920 ----a-w c:\documents and settings\alan\ghstwalk.exe
2001-11-30 09:36 270,768 ----a-w c:\documents and settings\alan\gdisk.exe
2001-08-03 18:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
2008-10-24 09:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102420081025\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\junk ----

2008-04-14 00:12 250368 --a------ c:\windows\junk\ime\sptip.dll
2008-04-14 00:12 130048 --a------ c:\windows\junk\ime\softkbd.dll
2008-04-14 00:11 86073 --a------ c:\windows\junk\ime\imjp8_1\applets\voicesub.dll
2008-04-14 00:11 426041 --a------ c:\windows\junk\ime\imjp8_1\applets\voicepad.dll
2008-04-14 00:11 220160 --a------ c:\windows\junk\ime\mscandui.dll
2008-04-14 00:10 53760 --a------ c:\windows\junk\ime\chsime\applets\pintlcsd.dll
2008-04-14 00:10 175104 --a------ c:\windows\junk\ime\chsime\applets\pintlcsa.dll
2008-04-14 00:10 15872 --a------ c:\windows\junk\ime\shared\res\padrs404.dll
2008-04-14 00:10 15360 --a------ c:\windows\junk\ime\shared\res\padrs804.dll
2008-04-14 00:09 97792 --a------ c:\windows\junk\ime\CHTIME\Applets\chtmbx.dll
2008-04-14 00:09 86016 --a------ c:\windows\junk\ime\imkr6_1\applets\imekrmbx.dll
2008-04-14 00:09 81976 --a------ c:\windows\junk\ime\imjp8_1\imjpdct.dll
2008-04-14 00:09 716856 --a------ c:\windows\junk\ime\imjp8_1\imjpcus.dll
2008-04-14 00:09 56320 --a------ c:\windows\junk\ime\CHTIME\Applets\chtskdic.dll
2008-04-14 00:09 368696 --a------ c:\windows\junk\ime\imjp8_1\imjpcic.dll
2008-04-14 00:09 315455 --a------ c:\windows\junk\ime\imjp8_1\applets\imskf.dll
2008-04-14 00:09 274489 --a------ c:\windows\junk\ime\imjp8_1\imjputyc.dll
2008-04-14 00:09 173568 --a------ c:\windows\junk\ime\CHTIME\Applets\chtskf.dll
2008-04-14 00:09 13463552 --a------ c:\windows\junk\ime\imjp8_1\applets\hwxjpn.dll
2008-04-14 00:09 106496 --a------ c:\windows\junk\ime\imkr6_1\imekrcic.dll
2008-04-14 00:09 102456 --a------ c:\windows\junk\ime\shared\imlang.dll
2008-04-13 16:43 62976 --a------ c:\windows\junk\ime\spgrmr.dll
2004-08-04 05:00 987495 --a------ c:\windows\junk\ime\imjp8_1\HELP\jpnpaden.chm
2004-08-04 05:00 987334 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpdte.chm
2004-08-04 05:00 987136 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpln.dic
2004-08-04 05:00 9605 --a------ c:\windows\junk\ime\imjp8_1\imjpinst.ini
2004-08-04 05:00 9588736 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpzp.dic
2004-08-04 05:00 847872 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjptk.dic
2004-08-04 05:00 842399 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpsme.chm
2004-08-04 05:00 84149 --a------ c:\windows\junk\ime\CHTIME\Applets\CHTAPT.HLP
2004-08-04 05:00 83082 --a------ c:\windows\junk\ime\CHTIME\Applets\CHTAPTEN.HLP
2004-08-04 05:00 815104 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpgn.grm
2004-08-04 05:00 81368 --a------ c:\windows\junk\ime\shared\imepaden.hlp
2004-08-04 05:00 785668 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpsm.chm
2004-08-04 05:00 71284 --a------ c:\windows\junk\ime\imkr6_1\HELP\impdko61.chm
2004-08-04 05:00 71211 --a------ c:\windows\junk\ime\imjp8_1\HELP\voiceeng.chm
2004-08-04 05:00 69728 --a------ c:\windows\junk\ime\imjp8_1\HELP\voicejp.chm
2004-08-04 05:00 67167 --a------ c:\windows\junk\ime\imkr6_1\HELP\imkren61.chm
2004-08-04 05:00 66236 --a------ c:\windows\junk\ime\imkr6_1\HELP\imkr61.chm
2004-08-04 05:00 6048 --a------ c:\windows\junk\ime\imkr6_1\imkrinst.ini
2004-08-04 05:00 59904 --a------ c:\windows\junk\ime\imkr6_1\imkrinst.exe
2004-08-04 05:00 57399 --a------ c:\windows\junk\ime\imjp8_1\cplexe.exe
2004-08-04 05:00 57398 --a------ c:\windows\junk\ime\imjp8_1\imjpdadm.exe
2004-08-04 05:00 52616 --a------ c:\windows\junk\ime\imkr6_1\HELP\korpaden.chm
2004-08-04 05:00 509036 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjptu.chm
2004-08-04 05:00 49152 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpch.dic
2004-08-04 05:00 490306 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpcle.hlp
2004-08-04 05:00 487472 --a------ c:\windows\junk\ime\chsime\applets\PINTLCSK.DIC
2004-08-04 05:00 475291 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpcl.hlp
2004-08-04 05:00 471102 --a------ c:\windows\junk\ime\imjp8_1\applets\imskdic.dll
2004-08-04 05:00 462929 --a------ c:\windows\junk\ime\CHTIME\Applets\CHTSKDIC.DIC
2004-08-04 05:00 45109 --a------ c:\windows\junk\ime\imjp8_1\imjpuex.exe
2004-08-04 05:00 44032 --a------ c:\windows\junk\ime\imkr6_1\imekrmig.exe
2004-08-04 05:00 381209 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpsme.hlp
2004-08-04 05:00 36927 --a------ c:\windows\junk\ime\shared\res\padrs411.dll
2004-08-04 05:00 36864 --a------ c:\windows\junk\ime\imkr6_1\dicts\hanjadic.dll
2004-08-04 05:00 311359 --a------ c:\windows\junk\ime\shared\imepadsv.exe
2004-08-04 05:00 307257 --a------ c:\windows\junk\ime\imjp8_1\imjpdct.exe
2004-08-04 05:00 289171 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpsm.hlp
2004-08-04 05:00 262200 --a------ c:\windows\junk\ime\imjp8_1\imjputy.exe
2004-08-04 05:00 233527 --a------ c:\windows\junk\ime\imjp8_1\imjprw.exe
2004-08-04 05:00 229439 --a------ c:\windows\junk\ime\imjp8_1\applets\multibox.dll
2004-08-04 05:00 208952 --a------ c:\windows\junk\ime\imjp8_1\imjpmig.exe
2004-08-04 05:00 196665 --a------ c:\windows\junk\ime\imjp8_1\imjpinst.exe
2004-08-04 05:00 174803 --a------ c:\windows\junk\ime\chsime\applets\PINTLCSD.DIC
2004-08-04 05:00 17374 --a------ c:\windows\junk\ime\imkr6_1\HELP\imkren61.hlp
2004-08-04 05:00 16741 --a------ c:\windows\junk\ime\imkr6_1\HELP\imkr61.hlp
2004-08-04 05:00 155705 --a------ c:\windows\junk\ime\imjp8_1\imjpdsvr.exe
2004-08-04 05:00 14688256 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpst.dic
2004-08-04 05:00 143422 --a------ c:\windows\junk\ime\imjp8_1\applets\softkey.dll
2004-08-04 05:00 14336 --a------ c:\windows\junk\ime\shared\res\padrs412.dll
2004-08-04 05:00 134339 --a------ c:\windows\junk\ime\imkr6_1\dicts\imekr.lex
2004-08-04 05:00 131072 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpsb.dic
2004-08-04 05:00 110637 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpcd.dic
2004-08-04 05:00 108827 --a------ c:\windows\junk\ime\imkr6_1\dicts\hanja.lex
2004-08-04 05:00 1086413 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpcl.chm
2004-08-04 05:00 108452 --a------ c:\windows\junk\ime\CHTIME\Applets\CHTAPT.CHM
2004-08-04 05:00 107855 --a------ c:\windows\junk\ime\CHTIME\Applets\CHTPADEN.CHM
2004-08-04 05:00 10653696 --a------ c:\windows\junk\ime\imjp8_1\DICTS\imjpnm.dic
2004-08-04 05:00 1046466 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpdt.chm
2004-08-04 05:00 1045992 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjppd.chm
2004-08-04 05:00 1034829 --a------ c:\windows\junk\ime\imjp8_1\HELP\imjpcle.chm
2004-08-04 05:00 102463 --a------ c:\windows\junk\ime\shared\imepadsm.dll
2004-08-04 05:00 10129408 --a------ c:\windows\junk\ime\imkr6_1\applets\hwxkor.dll
2004-08-04 05:00 10096640 --a------ c:\windows\junk\ime\CHTIME\Applets\HWXCHT.DLL


((((((((((((((((((((((((((((( SnapShot@2009-03-12_10.29.50.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-12 10:36:27 565,311 ----a-w c:\windows\gmer.dll
+ 2006-11-28 15:23:32 573,440 ----a-r c:\windows\gmer.exe
+ 2009-03-12 10:36:27 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PPWebCap"="d:\program files\ScanSoft\PaperPort\PPWebCap.exe" [2001-10-15 43008]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-29 7626752]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"AspireService"="c:\program files\Acer\Acer eMode Management\AspireService.exe" [2006-08-12 110592]
"MediaSync"="c:\program files\Acer\Acer eConsole\MediaSync.exe" [2006-07-06 425984]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2006-07-27 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-21 77824]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2002-09-24 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"nwiz"="nwiz.exe" [2007-01-29 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-11 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\ScanSoft\\PaperPort\\NAVBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = http=localhost:7070
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 20:35:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-03-27 20:36:58
ComboFix-quarantined-files.txt 2009-03-27 20:36:44
ComboFix2.txt 2009-03-12 10:30:39

Pre-Run: 22,222,086,144 bytes free
Post-Run: 22,212,218,880 bytes free

213 --- E O F --- 2009-02-26 16:43:12

#14 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 March 2009 - 04:03 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

27/03/2009 21:00:59
mbam-log-2009-03-27 (21-00-59).txt

Scan type: Quick Scan
Objects scanned: 76401
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 martyn

martyn
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 March 2009 - 04:10 PM

One additional issue we have is that every time we load internet explorer, an msiexec.exe instance loads regarding msoffice - see attached jpg.
I've not got the cd's here to put into the PC (they're back at home boxed up following a house move) - unless you can see any other reason for this, i'll just bring the cd over at some point and load it in

Attached Files

  • Attached File  p.jpg   30.24KB   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users