Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log - Nasty Spyware


  • This topic is locked This topic is locked
9 replies to this topic

#1 thecourtenayboy

thecourtenayboy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 17 April 2009 - 08:06 AM

A friend has been borrowing my laptop and has somehow managed to get a nasty bit of spyware onto it. There's a prompt in the system tray to buy/get some sort of anti-spyware software to fix the problem, which is annoying. And when visiting webpages you often get re-directed to dodgy search sites and the aparant solution to spyware software site, cant remember the name, think it's spywaregator or something like that.

Anyway, I've tried fixing the problem in safemode via Remote Desktop, and had no joy. Spybot wouldnt even run, it seems that the spyware is stopping it from loading up somehow. Have tried a few other things, but no joy. I got my friend to run HijackThis, here's the log, hope you clever guys can help =)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:25:29, on 17/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\TSC\tsc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Emma\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [5E78EFBB95AF9B79436C50E823EC64BA] C:\Program Files\TSC\tsc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3749F98C-123A-403D-85F0-EADB1A32347A}: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3C90E81-A7A6-45DE-AA51-916E325EB723}: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE

--
End of file - 9515 bytes

BC AdBot (Login to Remove)

 


#2 thecourtenayboy

thecourtenayboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 17 April 2009 - 12:39 PM

I've now got the laptop infront of me and so have done a DDS scan too, I've attached the results

Attached File  DDS.txt   9KB   20 downloads
Attached File  Attach.txt   10.92KB   6 downloads

Edited by thecourtenayboy, 17 April 2009 - 12:40 PM.


#3 thecourtenayboy

thecourtenayboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 17 April 2009 - 01:05 PM

I've also now discovered that Nod32 fails to load on startup. I also tried doing an online ESET scan but the malware seems to be stopping that from working too. I have tried installing and running Malwarebytes and that fails to load as well!

When browsing the web it redirects to various sites... I just clicked on a link to safer-network.org and in the browser I noticed that it started loading js.doubleclick.net and then it starts loading info-feed.com before redirecting to different sites, mostly the same 4 or 5 sites randomised each time.

Edited by thecourtenayboy, 17 April 2009 - 01:09 PM.


#4 thecourtenayboy

thecourtenayboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 18 April 2009 - 06:57 AM

OMG, I am seriously cheesed off right now! Was helping my Mum with something on her pc this morning and she's got the exact same infection too! When searching on google and then clicking on a link to flickr it did the js.doubleclick.net followed by info-feed.com thing in the status bar and then launched a site called ad.right-ads.com/....

It doesn't happen ever time you click on a link, it seems to be randomised, like every 3 or 4 times you click on a link it will take you too a dodgy page. And once again, Spybot failed to load on my Mum's machine too...I'm scared!

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 18 April 2009 - 07:04 AM

Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 thecourtenayboy

thecourtenayboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 18 April 2009 - 11:25 AM

I ran The_Comedian.exe which did it's think, but still the same problem, Malware Bytes just wont run

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 18 April 2009 - 01:56 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 thecourtenayboy

thecourtenayboy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hertfordshire
  • Local time:02:33 AM

Posted 19 April 2009 - 12:15 PM

ComboFix 09-04-19.05 - Margarita Courtenay 19/04/2009 17:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.510.275 [GMT 1:00]
Running from: c:\file transfer\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Resident AV is active

.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcqinvpyxeoaxthxfsobwucxiuxnbeeatf.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcfuynmflewiespkusyxabtovcbrpdvikt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-18 16:51 . 2009-04-18 16:51 -------- d-----w c:\documents and settings\Margarita Courtenay\Local Settings\Application Data\ESET
2009-04-18 16:22 . 2009-04-18 16:22 -------- d-----w c:\program files\ERUNT
2009-04-18 16:11 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 16:11 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 16:11 . 2009-04-18 16:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 16:11 . 2009-04-18 16:11 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-18 16:06 . 2009-04-18 16:24 -------- d-----w C:\Rooter$
2009-04-18 15:56 . 2009-04-18 15:56 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-18 12:18 . 2009-04-18 12:19 -------- d-----w c:\documents and settings\Margarita Courtenay\Application Data\HouseCall 6.6
2009-04-14 20:51 . 2009-04-15 18:25 -------- d-----w c:\program files\Training Manager 2008 Enterprise
2009-04-09 20:06 . 2009-04-09 20:06 -------- d-----w c:\documents and settings\Margarita Courtenay\Local Settings\Application Data\Kaizen_Software_Solutions
2009-04-09 20:06 . 2009-04-09 20:08 -------- d-----w c:\documents and settings\All Users\Application Data\TrainingManager
2009-04-09 20:06 . 2009-04-14 20:50 -------- d-----w c:\program files\Training Manager 2008 Standard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 17:00 . 2008-02-10 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-04-19 16:54 . 2007-08-17 15:48 -------- d-----w c:\documents and settings\Margarita Courtenay\Application Data\Skype
2009-04-19 11:10 . 2007-01-22 17:47 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-18 22:42 . 2008-03-20 20:26 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-18 22:42 . 2008-03-20 20:26 232 ---ha-w C:\sqmdata14.sqm
2009-04-18 19:17 . 2008-03-19 22:50 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-18 19:17 . 2008-03-19 22:50 232 ---ha-w C:\sqmdata13.sqm
2009-04-18 17:38 . 2008-03-18 22:48 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-18 17:38 . 2008-03-18 22:48 232 ---ha-w C:\sqmdata12.sqm
2009-04-18 16:26 . 2008-03-18 21:25 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-18 16:26 . 2008-03-18 21:25 232 ---ha-w C:\sqmdata11.sqm
2009-04-18 16:24 . 2009-04-18 16:06 3674 ----a-w C:\Rooter.txt
2009-04-16 20:44 . 2008-03-17 22:28 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-16 20:44 . 2008-03-17 22:28 232 ---ha-w C:\sqmdata10.sqm
2009-04-16 20:12 . 2008-03-16 21:36 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-16 20:12 . 2008-03-16 21:36 232 ---ha-w C:\sqmdata09.sqm
2009-04-15 19:50 . 2008-03-16 08:57 232 ---ha-w C:\sqmdata08.sqm
2009-04-15 19:50 . 2008-03-16 08:57 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-14 20:57 . 2008-03-15 22:04 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-14 20:57 . 2008-03-15 22:04 232 ---ha-w C:\sqmdata07.sqm
2009-04-13 18:31 . 2008-03-14 21:48 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-13 18:31 . 2008-03-14 21:48 232 ---ha-w C:\sqmdata06.sqm
2009-04-13 12:41 . 2008-03-13 21:59 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-13 12:41 . 2008-03-13 21:59 232 ---ha-w C:\sqmdata05.sqm
2009-04-13 12:38 . 2007-07-29 16:45 -------- d-----w c:\program files\Java
2009-04-12 23:34 . 2008-03-11 21:10 244 ---ha-w C:\sqmnoopt04.sqm
2009-04-12 23:34 . 2008-03-11 21:10 232 ---ha-w C:\sqmdata04.sqm
2009-04-12 16:37 . 2008-03-10 22:12 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-12 16:37 . 2008-03-10 22:12 232 ---ha-w C:\sqmdata03.sqm
2009-04-09 20:16 . 2008-03-09 22:01 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-09 20:16 . 2008-03-09 22:01 232 ---ha-w C:\sqmdata02.sqm
2009-04-05 19:13 . 2008-03-08 20:26 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-05 19:13 . 2008-03-08 20:26 232 ---ha-w C:\sqmdata01.sqm
2009-04-04 19:48 . 2008-02-22 14:26 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-04 19:48 . 2008-02-22 14:26 232 ---ha-w C:\sqmdata00.sqm
2009-03-31 21:33 . 2008-03-23 19:23 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-31 21:33 . 2008-03-23 19:23 232 ---ha-w C:\sqmdata19.sqm
2009-03-30 20:24 . 2008-03-23 09:27 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-30 20:24 . 2008-03-23 09:27 232 ---ha-w C:\sqmdata18.sqm
2009-03-30 16:06 . 2008-03-22 14:36 232 ---ha-w C:\sqmdata17.sqm
2009-03-30 16:06 . 2008-03-22 14:36 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-29 19:39 . 2008-03-21 20:01 232 ---ha-w C:\sqmdata16.sqm
2009-03-29 19:39 . 2008-03-21 20:01 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-29 13:20 . 2008-03-21 07:02 244 ---ha-w C:\sqmnoopt15.sqm
2009-03-29 13:20 . 2008-03-21 07:02 232 ---ha-w C:\sqmdata15.sqm
2009-03-10 19:04 . 2008-05-04 21:14 -------- d-----w c:\program files\VoipCheapCom
2009-03-09 04:19 . 2008-12-21 13:20 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 21:34 . 2005-03-06 16:16 521 ----a-w C:\hpfr3420.xml
2009-03-05 21:34 . 2005-03-06 16:16 237116 ----a-w C:\hpfr3420.log
2009-02-28 20:13 . 2005-03-05 18:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-24 18:03 . 2005-03-05 18:11 18240 ----a-w c:\documents and settings\Margarita Courtenay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 13:56 . 2008-09-15 13:56 142 ----a-w c:\documents and settings\Margarita Courtenay\Local Settings\Application Data\fusioncache.dat
2008-01-24 21:56 . 2008-01-24 21:56 185 ---ha-w c:\documents and settings\All Users\Application Data\hpothb07.dat
2008-01-24 21:56 . 2008-01-24 21:56 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2005-03-18 12:52 . 2005-03-18 12:52 0 ---ha-w c:\documents and settings\Margarita Courtenay\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-17 23120680]
"VoipCheapCom"="c:\program files\voipcheapcom\voipcheapcom.exe" [2008-09-14 9218872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2006-01-05 489472]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2006-01-05 07:15 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MSN Messenger 7.0.lnk - c:\windows\Installer\{ABEB838C-A1A7-4C5D-B7E1-8B4314600429}\MsblIco.Exe [2005-3-19 22798]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\ABIT\\ABITEQ\\ABITEQ.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58584:TCP"= 58584:TCP:skype 58584
"58584:UDP"= 58584:UDP:skype 58584

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-31 77312]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-10-24 34824]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60d592c2-3bf7-11d8-8c3f-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{937f6c02-5af1-11db-a314-00508d6a4d0e}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7935b88-6114-11db-a31d-00508d6a4d0e}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2005-06-10 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1100 series5E771253C1676EBED677BF361FDFC537825E15B8110051264.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Margarita Courtenay\Application Data\Mozilla\Firefox\Profiles\hlnmd5vb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 18:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcqinvpyxeoaxthxfsobwucxiuxnbeeatf.sys"
.
Completion time: 2009-04-19 18:03
ComboFix-quarantined-files.txt 2009-04-19 17:02

Pre-Run: 46,855,368,704 bytes free
Post-Run: 46,849,519,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

190 --- E O F --- 2008-12-20 10:50

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 19 April 2009 - 10:17 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
gxvxcserv.sys

Rootkit::
C:\Windows\system32\drivers\gxvxcqinvpyxeoaxthxfsobwucxiuxnbeeatf.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60d592c2-3bf7-11d8-8c3f-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{937f6c02-5af1-11db-a314-00508d6a4d0e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7935b88-6114-11db-a31d-00508d6a4d0e}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gxvxcserv.sys]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 April 2009 - 08:19 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users