Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tmp5ea7.tmp


  • This topic is locked This topic is locked
7 replies to this topic

#1 SteelSide

SteelSide

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 08 September 2006 - 04:58 PM

Ok i get that im totally missing common sense,but anyway a guy said dont go here. and gave me a link to armchair.be,now when i go there its the usual bleep with a browser window flying around,and ofcourse You got a new virus.

Scanned with Nod32 & Ad-Aware & Norton & Spybot S&D,the only ones that detects anything is nortons & Nod 32's autoprotect that always finds some files in the temp dir,they are named tmp5aaa.tmp,(it starts at that,then for every time i press quarantine on it it increases by one like 5aab/5aa1 et.c)

Norton says its a IRC Trojan
NOD32 says its a "probarble variant of winew&TrojanDroppper.ErPack trojan"

Spybot S&D found alot of cookies & some registry entries also,one was evileye.

And i noticed once that a program started named LUCOMS1~.exe however can't see any of that in the log.

Logfile of HijackThis v1.99.1
Scan saved at 23:54:58, on 2006-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program\SoftPerfect Bandwidth Manager\bwmsvc.exe
C:\Program\Norton Internet Security\ccPxySvc.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\Mixer.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Delade filer\TerraTec\PhaseFW\common\PhaseFWService.exe
C:\Program\Eset\nod32.exe
C:\Program\NORTON~1\navw32.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Daniel\Skrivbord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelside.kicks-ass.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: errorsafe.com localhost
O1 - Hosts: se.errorsafe.com localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Program\Delade filer\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Phase24FireWireService] "C:\Program\Delade filer\TerraTec\PhaseFW\common\PhaseFWService.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute8f\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program\VisualRoute8f\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: www.mtgradio.se
O15 - Trusted Zone: www.nrj.se
O15 - Trusted Zone: http://www.nrj.se
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143554958069
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF9B8327-1FE5-453A-AC9E-AC0ED21ADF31}: NameServer = 192.168.127.2,217.76.87.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: SoftPerfect Bandwidth Manager (bwmservice) - Unknown owner - C:\Program\SoftPerfect Bandwidth Manager\bwmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program\Norton Internet Security\NISUM.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

Edited by SteelSide, 09 September 2006 - 05:13 AM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 14 September 2006 - 10:48 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 SteelSide

SteelSide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 14 September 2006 - 12:41 PM

cDaniel - 06-09-14 19:33:35,57	Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Daniel\Skrivbord

(((((((((((((((((((((((((((((((   Files Created from 2006-08-14 to 2006-09-14  ))))))))))))))))))))))))))))))))))
 

2006-08-31	15:47	33	--a------	C:\WINDOWS\system32\grecorder.dll
2006-08-30	18:04	118,272	--a------	C:\WINDOWS\system32\SX5363S.DLL
2006-08-30	18:04	102,400	--a------	C:\WINDOWS\system32\RV32RTP.dll
2006-08-25	21:10	974,848	--a------	C:\WINDOWS\system32\mfc70.dll
2006-08-25	21:10	487,424	--a------	C:\WINDOWS\system32\msvcp70.dll
2006-08-25	21:10	344,064	--a------	C:\WINDOWS\system32\msvcr70.dll
 

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-14 19:34	--------	d--------	C:\Program\SoftPerfect Bandwidth Manager
2006-09-14 18:55	--------	d--------	C:\Program\mIRC
2006-09-14 18:35	--------	d--------	C:\Program\Mozilla Firefox
2006-09-14 14:47	--------	d--------	C:\Program\Delade filer\Symantec Shared
2006-09-14 14:47	--------	d--------	C:\Program\Delade filer
2006-09-13 15:51	--------	d--------	C:\Program\Mozilla Thunderbird
2006-09-13 15:01	--------	d--------	C:\Program\iTunes
2006-09-13 15:01	--------	d--------	C:\Program\iPod
2006-09-13 15:00	--------	d--------	C:\Program\QuickTime
2006-09-13 14:58	--------	d--------	C:\Program\Apple Software Update
2006-09-12 20:56	--------	d--------	C:\Program\InspIRCd
2006-09-11 17:52	--------	d--------	C:\Program\ESET
2006-09-10 20:51	--------	d--------	C:\Program\Messenger Plus! Live
2006-09-10 20:38	--------	d--------	C:\Documents and Settings\Daniel\Application Data\Screenshot Sender
2006-09-09 16:41	--------	d--------	C:\Program\MSN Messenger
2006-09-08 20:21	2	--a------	C:\AUTOEXEC.BAT
2006-09-08 16:05	--------	d--------	C:\Program\irssi
2006-09-08 14:27	--------	d--------	C:\Program\ElcomSoft
2006-09-03 19:58	--------	d--------	C:\Program\StealthBot
2006-08-31 15:45	--------	d--------	C:\Program\ZD Soft
2006-08-31 14:27	--------	d--------	C:\Program\Google
2006-08-30 18:00	--------	d--h-----	C:\Program\InstallShield Installation Information
2006-08-28 18:06	--------	d--------	C:\Program\DivX
2006-08-26 14:15	3320	--a------	C:\Documents and Settings\Daniel\Application Data\ViewerApp.dat
2006-08-26 11:40	--------	d--------	C:\Program\e-on software
2006-08-25 20:42	--------	d--------	C:\Documents and Settings\Daniel\Application Data\Symantec
2006-08-24 16:31	--------	d--------	C:\Program\Cheat Engine
2006-08-21 20:21	--------	d--------	C:\Program\Microsoft Visual Studio 8
2006-08-21 20:21	--------	d--------	C:\Program\Delade filer\Microsoft Shared
2006-08-21 14:56	--------	d--------	C:\Program\CamStudio
2006-08-21 14:28	16896	--a------	C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14	23040	--a------	C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14	128896	---------	C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 10:29	--------	d--------	C:\Program\VisualRoute10H
2006-08-20 18:43	--------	d--------	C:\Program\VisualRoute93g
2006-08-20 16:14	327680	--a------	C:\WINDOWS\system32\pythoncom24.dll
2006-08-20 16:14	102400	--a------	C:\WINDOWS\system32\pywintypes24.dll
2006-08-20 16:10	--------	d---s----	C:\Documents and Settings\Daniel\Application Data\Microsoft
2006-08-20 15:56	--------	d--------	C:\Program\TASpring
2006-08-20 15:55	--------	d--------	C:\Program\Delade filer\TerraTec
2006-08-20 14:05	--------	d--------	C:\Program\VisualRoute
2006-08-20 13:32	78	--a------	C:\Documents and Settings\Daniel\Application Data\.ettercap_gtk
2006-08-20 00:43	--------	d--------	C:\Program\VisualRoute8f
2006-08-12 11:01	--------	d--------	C:\Program\Internet Explorer
2006-08-04 17:37	73728	--a------	C:\WINDOWS\system32\dpl100.dll
2006-08-04 17:37	196608	--a------	C:\WINDOWS\system32\dtu100.dll
2006-08-04 14:08	--------	d--------	C:\Documents and Settings\Daniel\Application Data\Talkback
2006-08-04 14:06	--------	d--------	C:\Documents and Settings\Daniel\Application Data\Thunderbird
2006-08-04 14:06	--------	d--------	C:\Documents and Settings\Daniel\Application Data\Mozilla
2006-07-29 19:32	48936	--a------	C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:26	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-07-27 04:05	3596288	--a------	C:\WINDOWS\system32\qt-dx331.dll
2006-07-21 10:30	72704	--a------	C:\WINDOWS\system32\hlink.dll
2006-07-14 17:22	--------	d--------	C:\Program\Net Tools
2006-07-14 15:03	14448	--a------	C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2006-07-14 14:51	108144	--a------	C:\WINDOWS\system32\GEARAspi.dll
2006-07-03 23:40	778240	--a------	C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 23:40	778240	--a------	C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 23:40	761856	--a------	C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 23:40	620180	--a------	C:\WINDOWS\system32\DivX.dll
2006-06-22 07:17	69120	--a------	C:\WINDOWS\system32\ciodm.dll
2006-06-22 07:17	1438208	--a------	C:\WINDOWS\system32\query.dll
2006-06-21 12:49	53248	--a------	C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 12:43	520192	--a------	C:\WINDOWS\system32\DivXsm.exe
2006-06-21 12:42	200704	--a------	C:\WINDOWS\system32\ssldivx.dll
2006-06-21 12:42	1044480	--a------	C:\WINDOWS\system32\libdivx.dll
2006-06-21 12:34	593920	--a------	C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 12:34	57344	--a------	C:\WINDOWS\system32\dpv11.dll
2006-06-21 12:34	344064	--a------	C:\WINDOWS\system32\dpus11.dll
2006-06-21 12:34	294912	--a------	C:\WINDOWS\system32\dpu11.dll
2006-06-21 12:34	294912	--a------	C:\WINDOWS\system32\dpu10.dll
2006-06-21 12:33	12288	--a------	C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 12:33	118784	--a------	C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-18 15:45	36864	--a------	C:\WINDOWS\system32\frapsvid.dll
 

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Phase24FireWireService"="\"C:\\Program\\Delade filer\\TerraTec\\PhaseFW\\common\\PhaseFWService.exe\""
"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"ccApp"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program\\Delade filer\\Symantec Shared\\ccRegVfy.exe\""
"Symantec NetDriver Monitor"="C:\\Program\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TerraTec Remote Control"="\"C:\\Program\\Delade filer\\TerraTec\\Remote\\TTTVRC.exe\""
"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min aktuella startsida"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,02,00,00,00,00,00,00,00,02,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\"  -osboot"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - C scan.job
C:\WINDOWS\tasks\Norton AntiVirus - S”k igenom datorn.job
C:\WINDOWS\tasks\Symantec NetDetect.job
 
Completion time: 2006-09-14 19:34:55.57 
ComboFix.txt

Thanks for your reply,im not sure if i did fix my infection last time,but the .tmp files stopped apearing(but i suspect that im infected with something else as my login-time is a bit slower :/).

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 14 September 2006 - 02:23 PM

I don't see any definite malware in that log, although there is one file that I can't confirm either way.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\grecorder.dll



  • Disable your firewall if you are using one.
  • Click on the submit button
  • Reenable your firewall as soon as you get results.
  • Please post the results in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 SteelSide

SteelSide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 15 September 2006 - 11:19 AM

File:	   grecorder.dll
Status: 	
OK
MD5 	c372e2e48be89265edb4f9547d6faf86
Packers detected: 	
-
Scanner results
AntiVir 	
Found nothing
ArcaVir 	
Found nothing
Avast 	
Found nothing
AVG Antivirus 	
Found nothing
BitDefender 	
Found nothing
ClamAV 	
Found nothing
Dr.Web 	
Found nothing
F-Prot Antivirus 	
Found nothing
Fortinet 	
Found nothing
Kaspersky Anti-Virus 	
Found nothing
NOD32 	
Found nothing
Norman Virus Control 	
Found nothing
UNA 	
Found nothing
VirusBuster 	
Found nothing
VBA32 	
Found nothing

Guess im not infected then :thumbsup: Thanks for your replies,this site is a very good place for support concerning computers (IMO) :flowers: :huh:

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 15 September 2006 - 06:00 PM

It's always good to rule out malware as a cause for problems. The last bit of advice I will leave you with is to uninstall either Nod32 or Norton. You should never run more than one antivirus program at a time. At best it will really slow your computer down to a crawl, but it can also cause conflicts that may even crash your computer.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 SteelSide

SteelSide
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 16 September 2006 - 03:12 AM

I already did that after the .tmp files stopped apearing,as i did notice a real crawl down when running Spybot s&d,nod32 & norton, at the same time.Only got norton now(since that is the one i bought,and my trial would expire on the other ones)

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 16 September 2006 - 07:30 PM

Sounds good! :thumbsup:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users