Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware or possible rootkit.. Not sure HELP PLEASE !


  • This topic is locked This topic is locked
18 replies to this topic

#1 mpis

mpis

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 01 December 2010 - 01:46 AM

Hello,

I have used just about every program that I can find to locate this problem. I'm sure that this is
adware as when you search google or bing you click a link and it redirects to a adware or advertisement page.

Here is what I get from hijackthis.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:34:46:AM, on 12/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lock My PC 4\lockpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Documents and Settings\admin\Application Data\SysWin\lsass.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
C:\WINDOWS\system32\itircl32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\dimap32.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SmartFTP Client\SmartFTP.exe
F:\pmmail\PMMailw.exe
F:\frontpage\OFFICE11\FRONTPG.EXE
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\XoftSpySE6\XoftSpySE.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
F:\firefox3----0\firefox.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {014D683E-A429-4CA6-BCAD-76E46E79E0Ed} - C:\WINDOWS\system32\aticalrt32.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute Renaissance/contributeieplugin.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: d155dff7 - {45C23DF4-F2F4-F7CB-BC41-2454ABA2BBA6} - C:\WINDOWS\system32\kbdkyr32.dll
O2 - BHO: (no name) - {4FC15D7D-11FA-4CD1-BB7D-04D5CBDCED27} - (no file)
O2 - BHO: (no name) - {55CA7F49-50CC-4E19-B383-A513BF5781CB} - (no file)
O2 - BHO: (no name) - {8D4B0B34-B85D-4BD2-A9D4-C6A78BE80F22} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {93794588-38B9-4DE5-92F5-ED35E26BBF99} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute Renaissance/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\admin\Application Data\SysWin\lsass.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WhiteSmoke Translator.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Program Files\LinkLister\ll.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Program Files\LinkLister\ll.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: http://*.cinemanow.com
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226979053937
O20 - Winlogon Notify: fCRkHaYS - Invalid registry found
O20 - Winlogon Notify: fsp_lmwl - fsp_lmwl.dll (file missing)
O21 - SSODL: InfoDb - {40570F90-8204-3B90-177E-0A82520DE1B9} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9d78c965b5ad4) (gupdate1c9d78c965b5ad4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Movielink Core Service - Blockbuster - C:\PROGRA~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
O23 - Service: Network DDE (NetDDE32) - Unknown owner - C:\WINDOWS\system32\itircl32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 13393 bytes


Any help would be great.
Thanx

BC AdBot (Login to Remove)

 


#2 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 01 December 2010 - 01:50 AM

Also this seems to affect IE, and Firefox.. I'm using Netscape ver 9 which has no affect on.

Running Win XP pro 2002 SP 3

Thanx again

#3 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 01 December 2010 - 01:56 AM

PS: I'm sure it is something in the Reg..

Any ideas?

Thanx

Edited by elise025, 01 December 2010 - 07:06 AM.
Since a log is posted, I am moving this to the malware removal forum. Please be patient until a Malware Removal Team member replies to this topic. ~ Elise


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 01 December 2010 - 09:29 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you continue to need help, please follow this link and perform all of the steps requested.

http://www.bleepingcomputer.com/forums/topic34773.html

This will give us a look at the current condition of your machine.

Please also include a clear description of the problems you're having.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please be patient while I analyze your present log and await your next. All of my fixes are checked by higher level forum members before posting.


Thanks.

DR

#5 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 03 December 2010 - 01:32 PM

How are you doing? :whistle:

If you still need help, please follows the directions I have posted above.

Thanks.

DR

#6 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 04 December 2010 - 04:37 AM

Hello all,

I was told by rigacci to post all this info..

So here goes..

Problem.. I notice some memory use and slow Cpu.. But the main thing it seems
this virus does is it redirects me to advertising pages from bing and google.

I have used avast, spy bot search and destroy, zone alarm, and even boot up scans.
This thing simply wants to hide in a dll file or some archive file.

Here is the text files with system info and running processes.

Thank you
J

Attached Files



#7 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 04 December 2010 - 04:42 AM

Hello Rigacci,

I just posted all this into in the other forum.

Just ready to kill disk, and format and then re install. But this
may be an easy fix.

Thank you

#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 04 December 2010 - 08:13 AM

Not sure exactly what you mean. Did you create a new topic? And which forum? Please give links when possible.

If no one has picked up your post, I can continue but I would need a link to the new post.

DR

#9 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 04 December 2010 - 09:44 PM

Hello,

The link is at <topics merged>

Thank you

Edited by elise025, 05 December 2010 - 10:08 AM.


#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 05 December 2010 - 10:35 AM

Before we start cleaning I need to inform you of what is on your computer and what it could do.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to clean it, let's start with the following.


Your log(s) show that you are using a so called peer-to-peer or file-sharing program (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.


Your Adobe Reader, your Avast AV program and your Java all need updating. We can take of that later, after you are clean.


First we need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


Now Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Notes: ComboFix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.

Thanks.

DR

#11 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 06 December 2010 - 12:58 AM

I completed all of this.. Here is the output that I got. The pc seemed ok when running this. Can you
tell me what this root kit or virus is? I can run kill disk and format but really did not
feel like this as I have alot of files that I need to keep. The back up would take 3-4 hours
at the least.

here is the log..

ComboFix 10-12-04.03 - admin 12/05/2010 21:52:22.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2266 [GMT -5:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{b85e8c07-2df8-489a-a9cc-703f45cdf7e9}
c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{b85e8c07-2df8-489a-a9cc-703f45cdf7e9}\chrome.manifest
c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{b85e8c07-2df8-489a-a9cc-703f45cdf7e9}\chrome\xulcache.jar
c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{b85e8c07-2df8-489a-a9cc-703f45cdf7e9}\defaults\preferences\xulcache.js
c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{b85e8c07-2df8-489a-a9cc-703f45cdf7e9}\install.rdf
c:\documents and settings\admin\Application Data\syswin
c:\documents and settings\admin\Desktop\Perfect Optimizer.lnk
c:\documents and settings\admin\Start Menu\Programs\Perfect Optimizer
c:\documents and settings\admin\Start Menu\Programs\Perfect Optimizer\Perfect Optimizer.lnk
c:\documents and settings\admin\Start Menu\Programs\Perfect Optimizer\Uninstall.lnk
c:\documents and settings\admin\Start Menu\Programs\Perfect Optimizer\Website.lnk
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\020000009d07e8d31076C.manifest
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\020000009d07e8d31076O.manifest
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\020000009d07e8d31076P.manifest
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\020000009d07e8d31076S.manifest
c:\program files\Perfect Optimizer
c:\program files\Perfect Optimizer\aamd532.dll
c:\program files\Perfect Optimizer\ActiveX.dat
c:\program files\Perfect Optimizer\Apps.dat
c:\program files\Perfect Optimizer\Components.dat
c:\program files\Perfect Optimizer\Config.db
c:\program files\Perfect Optimizer\config\about.bmp
c:\program files\Perfect Optimizer\config\head.bmp
c:\program files\Perfect Optimizer\config\Lng2Const.xml
c:\program files\Perfect Optimizer\config\logo.ico
c:\program files\Perfect Optimizer\config\Menu.xml
c:\program files\Perfect Optimizer\config\PerfectOptimzer.chm
c:\program files\Perfect Optimizer\config\register.jpg
c:\program files\Perfect Optimizer\config\SmallLogo.bmp
c:\program files\Perfect Optimizer\config\splash.jpg
c:\program files\Perfect Optimizer\config\website.url
c:\program files\Perfect Optimizer\Data\Service\campus_model.bat
c:\program files\Perfect Optimizer\Data\Service\default_model.bat
c:\program files\Perfect Optimizer\Data\Service\home_model.bat
c:\program files\Perfect Optimizer\Data\Service\interner_model.bat
c:\program files\Perfect Optimizer\Data\Service\notebook_model.bat
c:\program files\Perfect Optimizer\Data\Service\office_model.bat
c:\program files\Perfect Optimizer\FreeUse.dll
c:\program files\Perfect Optimizer\InstallDll.dll
c:\program files\Perfect Optimizer\License.dll
c:\program files\Perfect Optimizer\MiracleLib.dll
c:\program files\Perfect Optimizer\PerfectOptimizer.exe
c:\program files\Perfect Optimizer\PerfectOptimizer.ini
c:\program files\Perfect Optimizer\SEClean.DLL
c:\program files\Perfect Optimizer\SERes.DLL
c:\program files\Perfect Optimizer\sqlite3.dll
c:\program files\Perfect Optimizer\unins000.dat
c:\program files\Perfect Optimizer\unins000.exe
c:\program files\Perfect Optimizer\Update.exe
c:\program files\Perfect Optimizer\website.url
c:\program files\Perfect Optimizer\WinUpdate.exe
c:\windows\system32\baopbdij.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\paqbonus.exe
c:\windows\system32\pinclwdr.ini
c:\windows\system32\pthreadVC.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\winlogon.bak
c:\windows\system32\winping.exe
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.

2010-12-04 01:24 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-04 01:24 . 2010-12-04 01:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-12-01 07:11 . 2010-12-01 07:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-12-01 07:11 . 2010-12-01 07:11 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2010-12-01 07:11 . 2010-12-01 07:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-01 07:07 . 2010-12-01 07:07 0 ---ha-w- c:\documents and settings\admin\gydhtddprk.tmp
2010-12-01 06:26 . 2010-12-01 06:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XoftSpySE
2010-11-30 02:02 . 2010-11-30 02:02 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2010-11-30 02:00 . 2010-11-30 02:00 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2010-11-30 01:58 . 2010-11-30 01:58 -------- d-sh--w- c:\documents and settings\admin\IETldCache
2010-11-30 01:56 . 2010-11-30 01:56 175616 ----a-w- c:\windows\system32\kbdhe22032.exe
2010-11-30 01:47 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-11-30 01:46 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-30 01:46 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-30 01:46 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-30 01:46 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-30 01:46 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-30 01:46 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-30 01:46 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-30 01:41 . 2010-11-30 01:52 -------- dc-h--w- c:\windows\ie8
2010-11-30 01:33 . 2010-11-30 01:33 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Netscape
2010-11-30 01:33 . 2010-11-30 01:33 -------- d-----w- c:\documents and settings\admin\Application Data\Netscape
2010-11-30 01:33 . 2010-11-30 01:33 -------- d-----w- c:\program files\Netscape
2010-11-28 09:59 . 2010-11-28 09:59 -------- d-----w- C:\Acarda Setup Disks
2010-11-28 07:30 . 2010-11-28 07:31 -------- d-----w- c:\documents and settings\admin\Application Data\GetRightToGo
2010-11-28 06:50 . 2010-12-01 09:56 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\AskToolbar
2010-11-28 06:33 . 2010-11-28 06:33 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Shareaza
2010-11-28 06:33 . 2010-11-28 07:00 -------- d-----w- c:\documents and settings\admin\Application Data\Shareaza
2010-11-28 06:33 . 2010-11-28 07:01 -------- d-----w- c:\program files\Shareaza
2010-11-28 06:18 . 2010-11-28 06:48 -------- d-----w- c:\documents and settings\admin\Application Data\Azureus
2010-11-28 06:02 . 2010-11-28 06:02 175616 ----a-w- c:\windows\system32\kbdkaz32.exe
2010-11-28 06:02 . 2010-11-28 06:02 256512 ----a-w- c:\windows\system32\kbdkyr32.dll
2010-11-28 06:02 . 2010-11-28 06:02 175616 ----a-w- c:\windows\system32\kbdkyr32.exe
2010-11-28 06:02 . 2010-11-28 06:02 419328 ----a-w- c:\windows\system32\aticalrt32.dll
2010-11-28 04:50 . 2003-07-09 10:21 153864 ----a-w- c:\windows\system32\http50.ocx
2010-11-28 04:50 . 2003-07-09 10:21 137480 ----a-w- c:\windows\system32\ftp50.ocx
2010-11-28 04:50 . 2001-10-06 02:02 143360 ----a-w- c:\windows\system32\Stamin32.Dll
2010-11-28 04:50 . 1999-05-07 05:00 209408 ----a-w- c:\windows\system32\TabCtl32.ocx
2010-11-28 04:40 . 2010-11-28 07:24 -------- d-----w- c:\program files\SPCK Software
2010-11-27 08:54 . 2010-11-27 08:54 -------- d-----w- c:\program files\Doorway Page Wizard Professional
2010-11-24 08:27 . 2010-11-24 08:27 -------- d-----w- c:\documents and settings\admin\Application Data\Asura Software
2010-11-24 06:54 . 2010-11-28 09:39 -------- d-----w- c:\program files\Great Gateway Generator1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 05:30 . 2009-08-14 04:05 737280 ----a-w- c:\windows\iun6002.exe
2010-09-10 05:58 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-07 16:11 . 2009-12-03 06:04 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 15:52 . 2009-12-03 06:05 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 15:52 . 2009-12-03 06:05 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 15:47 . 2009-12-03 06:05 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 15:47 . 2009-12-03 06:05 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 15:47 . 2009-12-03 06:05 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 15:47 . 2009-12-03 06:05 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 15:46 . 2009-12-03 06:05 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

------- Sigcheck -------

[-] 2008-10-05 . 679A7259741F6A09994F02C4261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014D683E-A429-4CA6-BCAD-76E46E79E0Ed}]
2010-11-28 06:02 419328 ----a-w- c:\windows\system32\aticalrt32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45C23DF4-F2F4-F7CB-BC41-2454ABA2BBA6}]
2010-11-28 06:02 256512 ----a-w- c:\windows\system32\kbdkyr32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-06-23 1699128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-26 8523776]
"nwiz"="nwiz.exe" [2008-05-26 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-26 81920]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"USB Storage Toolbox"="c:\program files\USBToolbox\Res.EXE" [2004-03-09 65536]
"LoadMSvcmm"="c:\program files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe" [2009-03-27 455112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-27 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-25 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-06-03 5964800]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsp_lmwl]
2008-06-14 02:39 45184 ----a-w- c:\windows\system32\fsp_lmwl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:English /RA:delete /RS:yes /archives /KBD:2

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB5975]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6968]
command [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CinemaNowMediaManagerApp]
2010-01-14 21:56 2148848 ----a-w- c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm]
2009-03-27 13:12 455112 ----a-w- c:\program files\Blockbuster\BLOCKBUSTERMovielink\Movielink User.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
2005-08-16 02:31 106496 ----a-w- c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CNUpdater.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [6/10/2008 5:33 AM 150568]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/22/2008 2:12 AM 717296]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [8/11/2008 12:22 PM 39680]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2009 1:05 AM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [11/22/2008 2:11 AM 93544]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2009 1:05 AM 17744]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/14/2010 4:58 PM 129520]
R3 LMPC4;LMPC4;c:\windows\system32\drivers\lmpc4.sys [10/28/2008 10:33 PM 10096]
S2 BT848;BtCap, WDM Video Capture;c:\windows\system32\drivers\BT848.sys [4/20/2009 9:46 PM 265512]
S2 BTTUNER;BtTuner, WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [4/20/2009 9:47 PM 18944]
S2 BTXBAR;BtXBar, WDM Crossbar;c:\windows\system32\drivers\btxbar.sys [4/20/2009 9:47 PM 13308]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate1c9d78c965b5ad4;Google Update Service (gupdate1c9d78c965b5ad4);c:\program files\Google\Update\GoogleUpdate.exe [5/18/2009 2:45 AM 133104]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 TridVid;USB TV Tuner Analog Video;c:\windows\system32\drivers\TridVid.sys [4/23/2009 8:40 PM 77824]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 07:45]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-18 07:45]

2010-12-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-29 03:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
Trusted Zone: cinemanow.com
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - component: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - Extension: CinemaNow Plugin for Firefox: {3112ca9c-de6d-4884-a869-9855de680400} - f:\firefox3----0\extensions\{3112ca9c-de6d-4884-a869-9855de680400}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\firefox3----0\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - f:\firefox3----0\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - f:\firefox3----0\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: CinemaNow Plugin for Firefox: {3112ca9c-de6d-4884-a869-9855de680400} - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{3112ca9c-de6d-4884-a869-9855de680400}
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\t85o48dl.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

BHO-{4FC15D7D-11FA-4CD1-BB7D-04D5CBDCED27} - (no file)
BHO-{55CA7F49-50CC-4E19-B383-A513BF5781CB} - (no file)
BHO-{8D4B0B34-B85D-4BD2-A9D4-C6A78BE80F22} - (no file)
BHO-{93794588-38B9-4DE5-92F5-ED35E26BBF99} - (no file)
Toolbar-SITEguard - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\admin\Application Data\SysWin\lsass.exe
SSODL-InfoDb-{40570F90-8204-3B90-177E-0A82520DE1B9} - (no file)
Notify-fCRkHaYS - (no file)
AddRemove-{E7B43551-F943-4A4A-ACA3-588EF56B9DFD}_is1 - c:\program files\Perfect Optimizer\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\admin\Application Data\SysWin\lsass.exe??????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{749458AD-222F-0652-51D0-EE578C0E3743}\InProcServer32*]
"jafocekfnbnbhonephpj"=hex:66,61,66,6c,6c,6e,63,69,62,6e,6d,62,00,00
"iafoabmjifhnddgopo"=hex:6b,61,68,6c,66,63,6b,70,65,6f,62,62,62,67,61,70,67,62,
62,69,6b,65,00,7e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\fsp_lmwl.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(844)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\program files\Lock My PC 4\lmpchdr.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\Common Files\Microsoft Shared\INK\PENUSA.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Lock My PC 4\lockpc.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\BLOCKB~1\BLOCKB~1\MovielinkCore.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\PSIService.exe
c:\windows\system32\locator.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-05 22:07:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-06 03:07

Pre-Run: 229,359,038,464 bytes free
Post-Run: 229,330,083,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D97BE5267F5490F9D7F4DBC34B03B593


Thank you again for your help.

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 06 December 2010 - 07:15 AM

It's hard to say what the Trojan is by name as it seems every AV service will give it a different name but generally they latch onto your computer and then start exporting the information that they are designed to find.

There were a lot of deletions and there are a few leftovers but it doesn't look too bad at this point. I need to get back to you about the next step though.

DR

#13 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 08 December 2010 - 07:35 AM

Hi mpis:

I am sorry it has taken so long to get back with this next step but I was out of touch for much of
Monday.

Before removing or fixing anything else I would like to get one system file analyzed.

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Copy and paste the following filepath in the box:

    c:\windows\system32\winlogon.exe
  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Thanks.

DR

#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 09 December 2010 - 09:53 AM

Are you still with us?

How are things going?


And while you are checking that file out at Jotti, you might want to also check out the C:\Windows\explorer.exe file and please also post that result.

Just copy/paste that line into the box at Jotti.

DR

Edited by rigacci, 09 December 2010 - 12:31 PM.


#15 mpis

mpis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 11 December 2010 - 01:56 AM

Hello DR,

I scanned both files and nothing was found on explorer.exe or winlogon.exe.

Any other ideas.. The link redirect has been fixed so it seems good.

Also do you recommend any virus scanners other than Avast?

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users