Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie 7 System Integrity Scan Wizard Popup And Trojan Problem


  • This topic is locked This topic is locked
12 replies to this topic

#1 Chnauz091382

Chnauz091382

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 10:28 AM

Hello I just recently found myself bombarded by various popups and I believe I have the source as a rogues email attachment. The main problem I notice is that when I launch IE 7 the System Integrity Scan Wizard usually pops up and I decline by clicking Cancel. I have ran spysweeper, Spybot S&D and AdAware SE all in safe mode to try and eliminate the problem, but no luck I have also tried the Vundo removal tool and it did removed found infected files but did not cure my current problem. I am also having trouble with a Trojan found by BitDefender 8..The file is listed as C:\Windows\System32\IFWPRJE.dll (Infected Trojan.Obfus.Gen) Bitdefender was unable to move it into Quarantine. I will post my Hijack log in hopes someone can please analyze it and let me know if any corrections or modifications need to be made I appreciate such help very much...and if someone can also elaborate on the Trojan problem it would also be greatly appreciated! Thanks,

Shaun

Logfile of HijackThis v1.99.1
Scan saved at 10:23:56 AM, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\softwin\bitdefender8\bdnagent.exe
E:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\program files\Eraser\eraser.exe
E:\Program Files\Microsoft ActiveSync\wcescomm.exe
E:\program files\SetPoint\SetPoint.exe
E:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - (no file)
O2 - BHO: (no name) - {1256A61F-45BD-E977-6007-0A0D9B48D775} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84BFD793-7C62-49F1-890A-3F34389A5A9D} - (no file)
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ifwprje.dll] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Shaun Einboden\Local Settings\Application Data\ifwprje.dll",nqfcebf
O4 - HKLM\..\Run: [{8C92FE3F-0855-4105-0112-071201050002}] "C:\Program Files\Common Files\{8C92FE3F-0855-4105-0112-071201050002}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] E:\program files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158968958558
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158969896577
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: iifcdab - iifcdab.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 13 February 2007 - 11:20 AM

Welcome to Bleepingcomputer Chnauz091382 :thumbsup:

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

****************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

****************************

Please download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - (no file)
O2 - BHO: (no name) - {1256A61F-45BD-E977-6007-0A0D9B48D775} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84BFD793-7C62-49F1-890A-3F34389A5A9D} - (no file)
O4 - HKLM\..\Run: [ifwprje.dll] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Shaun Einboden\Local Settings\Application Data\ifwprje.dll",nqfcebf
O4 - HKLM\..\Run: [{8C92FE3F-0855-4105-0112-071201050002}] "C:\Program Files\Common Files\{8C92FE3F-0855-4105-0112-071201050002}\Update.exe" mc-110-12-0000272
O20 - Winlogon Notify: iifcdab - iifcdab.dll (file missing)
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)

Find and delete if present:
C:\Documents and Settings\Shaun Einboden\Local Settings\Application Data\ifwprje.dll
C:\Program Files\Common Files\{8C92FE3F-0855-4105-0112-071201050002}

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#3 Chnauz091382

Chnauz091382
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 12:38 PM

Hi thanks for the response....actually I need a modification done now....I've seen to narrow the problem down even further. I have the following reported problems:

Spysweeper reports:

Being infected with virtumonde....I cannot remove that
And also I get the occasional spy cookie 2o7

The majority of the software seems to have removed the popups for now but those I just mentioned remain...The software picks up the infected entries and then quarantines ....but as soon as I delete the quarantine and reboot the computer the software will pick those entries up again. I will post a new Hijack log to be analyzed thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 12:36:40 PM, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
E:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\program files\Eraser\eraser.exe
E:\Program Files\Microsoft ActiveSync\wcescomm.exe
E:\program files\SetPoint\SetPoint.exe
E:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {010FF400-8DFB-439D-987B-DCDE5195F4D8} - (no file)
O2 - BHO: (no name) - {1256A61F-45BD-E977-6007-0A0D9B48D775} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84BFD793-7C62-49F1-890A-3F34389A5A9D} - (no file)
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{8C92FE3F-0855-4105-0112-071201050002}] "C:\Program Files\Common Files\{8C92FE3F-0855-4105-0112-071201050002}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "E:\program files\Eraser\eraser.exe" -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158968958558
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158969896577
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: iifcdab - iifcdab.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 13 February 2007 - 12:46 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Posted Image

#5 Chnauz091382

Chnauz091382
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 02:12 PM

Hi RichieUK again thanks for taking my case.....I followed your instructions you provided me with AVG and what to remove with Hijackthis. In safe mode AVG did find some trojans and cookies and Quarantined them. After I rebooted back into windows I used Webroot Spy Sweeper again to search and it is still finding a hit of Virtumonde and spy cookie 2o7.net. I will post you the new hijack log and log from AVG and again thanks. I dont seem to be having any popups as of now...but i dont want those two items residing on my system either. Should also note I ran VundoFix 6.3.6 and it reported no infected files found.

Logfile of HijackThis v1.99.1
Scan saved at 1:54:53 PM, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
E:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
E:\program files\Eraser\eraser.exe
E:\Program Files\Microsoft ActiveSync\wcescomm.exe
E:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\program files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] E:\program files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158968958558
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158969896577
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


AVG LOG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:50:07 PM 13/02/2007

+ Scan result:




C:\WINDOWS\system32\drvcez.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wapitr.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



Thanks again for your help

Edited by Chnauz091382, 13 February 2007 - 02:17 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 13 February 2007 - 02:44 PM

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.



****************************

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to the desktop and double-click on it.
If you get any kind of warning message about scripts,please choose to allow the script to run.
When the scan is finished it will create a logfile on your desktop.
Please post the entire contents of this logfile into your next reply.

Post the C:\ComboFix.txt and the entire contents of the SilentRunners logfile in your next reply please.
Posted Image
Posted Image

#7 Chnauz091382

Chnauz091382
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 02:56 PM

Here you go Richie as promised

ComboFIX Report:

"Shaun Einboden" - 07-02-13 14:50:15 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Shaun Einboden\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\unsvchosts.lzma
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\ICROSO~1
C:\qoobox\purity\WINDOWS\system32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-13 to 2007-02-13 ))))))))))))))))))))))))))))))))))


2007-02-13 09:35 <DIR> d-------- C:\Program Files\HijackThis
2007-02-13 09:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-02-13 08:05 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-02-13 08:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Webroot
2007-02-13 08:04 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Webroot
2007-02-12 21:42 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-02-12 21:42 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-02-12 21:42 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-02-12 21:42 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-02-12 21:42 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Webroot
2007-02-12 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Webroot
2007-02-12 21:41 <DIR> d-------- C:\DOCUME~1\SHAUNE~1\Application Data\Webroot
2007-02-12 20:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-12 19:22 93,696 --a------ C:\WINDOWS\system32\ifwprje.dll
2007-02-10 15:25 <DIR> d-------- C:\DOCUME~1\SHAUNE~1\Application Data\Kernel for Outlook Express(Evaluation version)
2007-02-10 14:17 69,632 --a------ C:\WINDOWS\uninsqvp.exe
2007-02-10 14:17 45,056 --a------ C:\WINDOWS\qvphook.dll
2007-02-10 14:17 <DIR> d-------- C:\WINDOWS\system32\VIEWERS
2007-02-10 13:55 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-02-10 13:50 <DIR> d--h----- C:\WINDOWS\PIF
2007-02-03 11:08 <DIR> d-------- C:\Program Files\iNav
2007-02-01 18:03 <DIR> d-------- C:\Program Files\MSBuild
2007-02-01 18:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-02-01 18:00 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-02-01 18:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-01-28 21:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-01-26 20:05 935,632 --a------ C:\WINDOWS\system32\VB40016.DLL
2007-01-26 20:05 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-01-26 20:05 87,040 --a------ C:\WINDOWS\system32\P2BDAO.DLL
2007-01-26 20:05 86,848 --a------ C:\WINDOWS\system32\VBDB16.DLL
2007-01-26 20:05 85,008 --a------ C:\WINDOWS\system32\PDSODBC.DLL
2007-01-26 20:05 748,160 --a------ C:\WINDOWS\system32\CO2C40EN.DLL
2007-01-26 20:05 68,096 --a------ C:\WINDOWS\system32\Wbtrv32.dll
2007-01-26 20:05 65,056 --a------ C:\WINDOWS\system32\PDBDAO.DLL
2007-01-26 20:05 57,328 --a------ C:\WINDOWS\system32\OLE2CONV.DLL
2007-01-26 20:05 543,744 --a------ C:\WINDOWS\system32\DAO2516.DLL
2007-01-26 20:05 54,272 --a------ C:\WINDOWS\system32\P2IRDAO.DLL
2007-01-26 20:05 536,048 --a------ C:\WINDOWS\system32\OC25.DLL
2007-01-26 20:05 53,248 --a------ C:\WINDOWS\system32\MSCc2JP.dll
2007-01-26 20:05 51,712 --a------ C:\WINDOWS\system32\OLE2PROX.DLL
2007-01-26 20:05 50,176 --a------ C:\WINDOWS\system32\CTDAO.DLL
2007-01-26 20:05 5,824 --a------ C:\WINDOWS\system32\Wbtrthnk.dll
2007-01-26 20:05 43,472 --a------ C:\WINDOWS\system32\Wbtrcall.dll
2007-01-26 20:05 415,504 --a------ C:\WINDOWS\system32\MSREPL35.DLL
2007-01-26 20:05 4,192 --a------ C:\WINDOWS\system32\Wbtrvres.dll
2007-01-26 20:05 39,424 --a------ C:\WINDOWS\system32\UXFTEXT.DLL
2007-01-26 20:05 38,400 --a------ C:\WINDOWS\system32\OC25JPN.DLL
2007-01-26 20:05 37,888 --a------ C:\WINDOWS\system32\UXFSEPV.DLL
2007-01-26 20:05 36,560 --a------ C:\WINDOWS\system32\PDIRDAO.DLL
2007-01-26 20:05 36,352 --a------ C:\WINDOWS\system32\P2BBND.DLL
2007-01-26 20:05 35,840 --a------ C:\WINDOWS\system32\UXFDIF.DLL
2007-01-26 20:05 33,792 --a------ C:\WINDOWS\system32\UXFREC.DLL
2007-01-26 20:05 33,456 --a------ C:\WINDOWS\system32\PDCTDAO.DLL
2007-01-26 20:05 28,160 --a------ C:\WINDOWS\system32\Cmdlgjp.dll
2007-01-26 20:05 28,041 --a------ C:\WINDOWS\system32\OLE2.REG
2007-01-26 20:05 27,136 --a------ C:\WINDOWS\system32\UXDDISK.DLL
2007-01-26 20:05 27,136 --a------ C:\WINDOWS\system32\DBLstJP.dll
2007-01-26 20:05 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.DLL
2007-01-26 20:05 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-01-26 20:05 22,398 --a------ C:\WINDOWS\system32\CRXLATE.DLL
2007-01-26 20:05 217 --a------ C:\WINDOWS\system32\DAO16.REG
2007-01-26 20:05 20,496 --a------ C:\WINDOWS\system32\PDBBND.DLL
2007-01-26 20:05 2,920 --a------ C:\WINDOWS\system32\VBAJET.DLL
2007-01-26 20:05 18,944 --a------ C:\WINDOWS\system32\IMPLODE.DLL
2007-01-26 20:05 18,240 --a------ C:\WINDOWS\system32\MSJETINT.DLL
2007-01-26 20:05 17,760 --a------ C:\WINDOWS\system32\DBCS2016.DLL
2007-01-26 20:05 147,632 --a------ C:\WINDOWS\system32\MFCOLEUI.DLL
2007-01-26 20:05 14,256 --a------ C:\WINDOWS\system32\VAJP2.DLL
2007-01-26 20:05 133,120 --a------ C:\WINDOWS\system32\P2SODBC.DLL
2007-01-26 20:05 124,416 --a------ C:\WINDOWS\system32\MSCmCJP.dll
2007-01-26 20:05 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-01-26 20:05 12,976 --a------ C:\WINDOWS\system32\SCP.DLL
2007-01-26 20:05 11,344 --a------ C:\WINDOWS\system32\MSJETERR.DLL
2007-01-26 20:05 106,496 --a------ C:\WINDOWS\system32\W32mkrc.dll
2007-01-26 20:05 1,847,808 --a------ C:\WINDOWS\system32\CRPE32.DLL
2007-01-26 20:05 1,378,560 --a------ C:\WINDOWS\system32\VBA2.DLL
2007-01-26 20:05 1,124,880 --a------ C:\WINDOWS\system32\CRPE.DLL
2007-01-26 20:05 1,072,704 --a------ C:\WINDOWS\system32\MSAJT200.DLL
2007-01-26 20:05 1,046,288 --a------ C:\WINDOWS\system32\MSJET35.DLL
2007-01-26 20:05 <DIR> d-------- C:\WINDOWS\CRYSTAL
2007-01-26 19:52 <DIR> d-------- C:\Nissan
2007-01-26 11:20 935,632 --a------ C:\WINDOWS\system\VB40016.DLL
2007-01-26 11:20 9,728 --a------ C:\WINDOWS\system\VXFTXTJP.DLL
2007-01-26 11:20 9,728 --a------ C:\WINDOWS\system\VXFRECJP.DLL
2007-01-26 11:20 9,728 --a------ C:\WINDOWS\system\VXFDIFJP.DLL
2007-01-26 11:20 9,728 --a------ C:\WINDOWS\system\VXDDSKJP.DLL
2007-01-26 11:20 86,848 --a------ C:\WINDOWS\system\VBDB16.DLL
2007-01-26 11:20 85,008 --a------ C:\WINDOWS\system\PDSODBC.DLL
2007-01-26 11:20 65,056 --a------ C:\WINDOWS\system\PDBDAO.DLL
2007-01-26 11:20 57,328 --a------ C:\WINDOWS\system\OLE2CONV.DLL
2007-01-26 11:20 543,744 --a------ C:\WINDOWS\system\DAO2516.DLL
2007-01-26 11:20 536,048 --a------ C:\WINDOWS\system\OC25.DLL
2007-01-26 11:20 51,712 --a------ C:\WINDOWS\system\OLE2PROX.DLL
2007-01-26 11:20 5,120 --a------ C:\WINDOWS\system\STKIT416.DLL
2007-01-26 11:20 4,288 --a------ C:\WINDOWS\system\QDBDAOJP.DLL
2007-01-26 11:20 4,176 --a------ C:\WINDOWS\system\QDRDAOJP.DLL
2007-01-26 11:20 4,176 --a------ C:\WINDOWS\system\QDCDAOJP.DLL
2007-01-26 11:20 39,424 --a------ C:\WINDOWS\system\UXFTEXT.DLL
2007-01-26 11:20 38,400 --a------ C:\WINDOWS\system\OC25JPN.DLL
2007-01-26 11:20 37,888 --a------ C:\WINDOWS\system\UXFSEPV.DLL
2007-01-26 11:20 36,560 --a------ C:\WINDOWS\system\PDIRDAO.DLL
2007-01-26 11:20 35,840 --a------ C:\WINDOWS\system\UXFDIF.DLL
2007-01-26 11:20 33,792 --a------ C:\WINDOWS\system\UXFREC.DLL
2007-01-26 11:20 33,456 --a------ C:\WINDOWS\system\PDCTDAO.DLL
2007-01-26 11:20 304,640 --a------ C:\WINDOWS\system\OLE2.DLL
2007-01-26 11:20 3,760 --a------ C:\WINDOWS\system\WBTRVRES.DLL
2007-01-26 11:20 3,626 --a------ C:\WINDOWS\system\WBT32RES.DLL
2007-01-26 11:20 28,041 --a------ C:\WINDOWS\system\OLE2.REG
2007-01-26 11:20 27,632 --a------ C:\WINDOWS\system\CTL3DV2.DLL
2007-01-26 11:20 27,136 --a------ C:\WINDOWS\system\UXDDISK.DLL
2007-01-26 11:20 247,296 --a------ C:\WINDOWS\system\GRDKRN16.DLL
2007-01-26 11:20 23,904 --a------ C:\WINDOWS\system\VB4JP16.DLL
2007-01-26 11:20 22,398 --a------ C:\WINDOWS\system\CRXLATE.DLL
2007-01-26 11:20 217 --a------ C:\WINDOWS\system\DAO16.REG
2007-01-26 11:20 20,496 --a------ C:\WINDOWS\system\PDBBND.DLL
2007-01-26 11:20 2,920 --a------ C:\WINDOWS\system\VBAJET.DLL
2007-01-26 11:20 18,240 --a------ C:\WINDOWS\system\MSJETINT.DLL
2007-01-26 11:20 177,824 --a------ C:\WINDOWS\system\TYPELIB.DLL
2007-01-26 11:20 17,760 --a------ C:\WINDOWS\system\DBCS2016.DLL
2007-01-26 11:20 17,658 --a------ C:\WINDOWS\system\WBTRLOCL.DLL
2007-01-26 11:20 165,008 --a------ C:\WINDOWS\system\OLE2DISP.DLL
2007-01-26 11:20 16,066 --a------ C:\WINDOWS\system\WBTRCALL.DLL
2007-01-26 11:20 157,696 --a------ C:\WINDOWS\system\STORAGE.DLL
2007-01-26 11:20 152,976 --a------ C:\WINDOWS\system\OLE2NLS.DLL
2007-01-26 11:20 14,336 --a------ C:\WINDOWS\system\QDSODBJP.DLL
2007-01-26 11:20 12,976 --a------ C:\WINDOWS\system\SCP.DLL
2007-01-26 11:20 11,344 --a------ C:\WINDOWS\system\MSJETERR.DLL
2007-01-26 11:20 109,056 --a------ C:\WINDOWS\system\COMPOBJ.DLL
2007-01-26 11:20 10,240 --a------ C:\WINDOWS\system\VXFSPVJP.DLL
2007-01-26 11:20 1,124,880 --a------ C:\WINDOWS\system\CRPE.DLL
2007-01-26 11:20 1,072,704 --a------ C:\WINDOWS\system\MSAJT200.DLL
2007-01-26 11:20 <DIR> d-------- C:\DOCUME~1\SHAUNE~1\WINDOWS
2007-01-25 13:06 14 --a------ C:\DOCUME~1\SHAUNE~1\getfile.dat
2007-01-24 18:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-24 14:02 <DIR> d-------- C:\Program Files\Mozilla Thunderbird Beta 2
2007-01-24 14:02 <DIR> d-------- C:\DOCUME~1\SHAUNE~1\Application Data\Thunderbird
2007-01-24 10:51 <DIR> d-------- C:\WINDOWS\JM
2007-01-23 21:08 <DIR> d-------- C:\Program Files\Ahead
2007-01-23 12:05 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-01-23 11:57 40,960 --a------ C:\Program Files\Uninstall_CDS.exe
2007-01-23 11:02 96,256 --a------ C:\WINDOWS\system32\drivers\sptd9117.sys
2007-01-23 11:02 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-01-23 10:18 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL
2007-01-19 12:53 51,056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-15 15:55 136,976 --a------ C:\WINDOWS\system32\SfxBar.dll
2007-01-15 10:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-13 17:37 <DIR> d-------- C:\DOCUME~1\SHAUNE~1\Application Data\SmartFTP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-13 10:51 -------- d-------- C:\Program Files\java
2007-02-12 21:43 -------- d-------- C:\DOCUME~1\SHAUNE~1\Application Data\utorrent
2007-02-10 12:40 -------- d-------- C:\DOCUME~1\SHAUNE~1\Application Data\openoffice.org2
2007-02-07 14:31 -------- d-------- C:\Program Files\msn messenger
2007-02-03 11:08 -------- d--h----- C:\Program Files\installshield installation information
2007-02-02 16:31 -------- d---s---- C:\DOCUME~1\SHAUNE~1\Application Data\microsoft
2007-01-24 18:54 2508 --a------ C:\DOCUME~1\SHAUNE~1\Application Data\$_hpcst$.hpc
2007-01-24 14:20 -------- d-------- C:\Program Files\Common Files\ahead
2007-01-24 10:03 437760 --a------ C:\WINDOWS\rapidui.exe
2007-01-15 10:55 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-15 10:54 -------- d-------- C:\DOCUME~1\SHAUNE~1\Application Data\adobeum
2007-01-12 15:00 -------- d-------- C:\DOCUME~1\SHAUNE~1\Application Data\google
2007-01-09 17:37 -------- d-------- C:\Program Files\windows desktop search
2007-01-08 09:21 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-04 16:21 1024 --a------ C:\WINDOWS\system32\pwdremover.dat
2007-01-02 15:42 21504 --a------ C:\WINDOWS\jestertb.dll
2006-12-29 22:00 -------- d-------- C:\Program Files\openoffice.org 2.1
2006-12-08 11:17 73216 --a------ C:\WINDOWS\st6unst.exe
2006-12-07 13:50 39424 --a------ C:\WINDOWS\zipinst.exe
2006-11-27 03:45 60416 --a------ C:\WINDOWS\system32\tzchange.exe
2006-11-13 01:02 36352 --a------ C:\WINDOWS\system32\tsgqec.dll
2006-11-13 01:02 288768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2006-11-13 01:02 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-13 01:02 116736 --a------ C:\WINDOWS\system32\aaclient.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Eraser"="\"E:\\program files\\Eraser\\eraser.exe\" -hide"
"H/PC Connection Agent"="\"E:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BDMCon"="c:\\PROGRA~1\\softwin\\BITDEF~1\\bdmcon.exe"
"BDNewsAgent"="\"c:\\program files\\softwin\\bitdefender8\\bdnagent.exe\""
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"=""
"{010FF400-8DFB-439D-987B-DCDE5195F4D8}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-13 14:50:55

Silent Runners Log File:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Eraser" = ""E:\program files\Eraser\eraser.exe" -hide" ["Heidi Computers Ltd"]
"H/PC Connection Agent" = ""E:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"svchost.exe" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BDMCon" = "c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]
"BDNewsAgent" = ""c:\program files\softwin\bitdefender8\bdnagent.exe"" [null data]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2F85D76C-0569-466F-A488-493E6BD0E955}\(Default) = (no title provided)
-> {HKLM...CLSID} = "dsWebAllowBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\dsWebAllow.dll" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "E:\program files\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "E:\program files\SetPoint\mcplext.dll" ["Logitech Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Deskbar"
-> {HKCU...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{D426CFD0-87FC-4906-98D9-A23F5D515D61}" = "Windows Desktop Search Outlook Express ISearchFolder Class"
-> {HKLM...CLSID} = "Windows Desktop Search Outlook Express SearchProtocol Class"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\OEPH.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\Wcesview.dll" [MS]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {HKLM...CLSID} = "FTP Explorer Shell Extension"
\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{F0F08737-0C36-101B-B086-0020AF07D0F4}" = "Quick View Plus - Shell Extension object"
-> {HKLM...CLSID} = "Quick View Plus - Shell Extension object"
\InProcServer32\(Default) = "E:\PROGRA~1\QUICKV~1\PROGRAM\QVPSE3.DLL" ["Stellent, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
<<!>> "{0cab0400-7395-11d0-a5e5-0020afe2fdd9}" = (no title provided)
-> {HKLM...CLSID} = "Quick View Plus - ShellExecute Hook"
\InProcServer32\(Default) = "qvphook.dll" ["Stellent, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
QuickViewPlusMenu\(Default) = "{F0F08737-0C36-101B-B086-0020AF07D0F4}"
-> {HKLM...CLSID} = "Quick View Plus - Shell Extension object"
\InProcServer32\(Default) = "E:\PROGRA~1\QUICKV~1\PROGRAM\QVPSE3.DLL" ["Stellent, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickViewPlusMenu\(Default) = "{F0F08737-0C36-101B-B086-0020AF07D0F4}"
-> {HKLM...CLSID} = "Quick View Plus - Shell Extension object"
\InProcServer32\(Default) = "E:\PROGRA~1\QUICKV~1\PROGRAM\QVPSE3.DLL" ["Stellent, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKCU\Software\Classes\.bat\(Default) = (value not set)

HKCU\Software\Classes\.cmd\(Default) = (value not set)

HKCU\Software\Classes\.com\(Default) = (value not set)

HKCU\Software\Classes\.exe\(Default) = "exefile"

HKCU\Software\Classes\.hta\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Shaun Einboden\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Shaun Einboden" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"APC UPS Status" -> shortcut to: "E:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]
"Logitech SetPoint" -> shortcut to: "E:\program files\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Windows Desktop Search" -> shortcut to: "C:\Program Files\Windows Desktop Search\WindowsSearch.exe /startup" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\INetRepl.dll" [MS]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

APC UPS Service, APC UPS Service, "E:\program files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
MLMON__Q\Driver = "MLMON__Q.DLL" ["KONICA MINOLTA BUSINESS TECHNOLOGIES, INC."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 46 seconds, including 24 seconds for message boxes)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 13 February 2007 - 03:43 PM

Find and delete:
C:\WINDOWS\system32\ifwprje.dll

*****************************

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply please.

****************************

When SpySweeper detects Virtumonde and spy cookie 2o7.net,does the program give any clues to their exact locations.
Posted Image
Posted Image

#9 Chnauz091382

Chnauz091382
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 04:35 PM

Hi Richie....Yes I should of looked deeper for the log file for webroot spysweep. This time the search still found the virtumonde trojan...but now instead of the 2o7.net spy cookie its not found a tacoda cookie instead. Anyways I will post the logs for you to take a peak at:

SUPERAntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
Generated 02/13/2007 at 04:18 PM

Application Version : 3.5.1016

Core Rules Database Version : 3183
Trace Rules Database Version: 1193

Scan type : Complete Scan
Total Scan Time : 00:21:29

Memory items scanned : 498
Memory threats detected : 0
Registry items scanned : 5711
Registry threats detected : 0
File items scanned : 32672
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Shaun Einboden\Cookies\shaun_einboden@adbrite[2].txt
C:\Documents and Settings\Shaun Einboden\Cookies\shaun_einboden@ads.adbrite[2].txt
C:\Documents and Settings\Shaun Einboden\Cookies\shaun_einboden@247realmedia[1].txt
C:\Documents and Settings\Shaun Einboden\Cookies\shaun_einboden@msnportal.112.2o7[1].txt

Webroot SpySweep Log: (List operation time starts from bottom up:)

4:27 PM: Removal process completed. Elapsed time 00:00:00
4:27 PM: Quarantining All Traces: tacoda cookie
4:27 PM: Quarantining All Traces: virtumonde
4:27 PM: Removal process initiated
4:27 PM: Traces Found: 2
4:27 PM: Custom Sweep has completed. Elapsed time 00:04:24
4:27 PM: File Sweep Complete, Elapsed Time: 00:02:42
4:26 PM: Warning: Failed to open file "c:\documents and settings\shaun einboden\local settings\application data\microsoft\messenger\chnauz@hotmail.com\sharingmetadata\pending.dat". The operation completed successfully
4:24 PM: Starting File Sweep
4:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:24 PM: c:\documents and settings\shaun einboden\cookies\shaun_einboden@tacoda[1].txt (ID = 6444)
4:24 PM: Found Spy Cookie: tacoda cookie
4:24 PM: Starting Cookie Sweep
4:24 PM: Registry Sweep Complete, Elapsed Time:00:00:07
4:24 PM: HKLM\system\controlset002\enum\root\legacy_com+_messages\ (ID = 1895874)
4:24 PM: Found Adware: virtumonde
4:24 PM: Starting Registry Sweep
4:24 PM: Memory Sweep Complete, Elapsed Time: 00:01:30
4:22 PM: Starting Memory Sweep
4:22 PM: Start Custom Sweep
4:22 PM: Sweep initiated using definitions version 858
4:22 PM: Spy Sweeper 5.3.1.2344 started
4:22 PM: | Start of Session, February 13, 2007 |
***************

The spysweeper always qurantines the virtumonde and cookie but they keep appearing on scan even after I delete the quarantined file

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 13 February 2007 - 06:10 PM

First download and run Symantec's Adware.VirtuMonde Removal Tool:
http://securityresponse.symantec.com/avcenter/FxVMonde.exe

***************************

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Post the whole contents of the Counterspy report into your next reply please
Posted Image
Posted Image

#11 Chnauz091382

Chnauz091382
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 13 February 2007 - 07:16 PM

Hi Richie the symantec removal tool resulted in no infected files found. The other software that was to be downloaded picked up a few other things...but nothing in relation to the virtumonde trojan...Here is the log:

Scan History Details
Start Date: 13/02/2007 6:41:47 PM
End Date: 13/02/2007 6:53:10 PM
Total Time: 11 Min 23 Sec
Detected security risks

Cookie: 247RealMedia.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\shaun einboden\cookies\shaun_einboden@247realmedia[2].txt


Desktop Links Adware (General) more information...
Details: Desktop Links consists of various links and shortcuts placed on the desktop by adware and spyware programs. It includes folders and links placed in Internet Explorer's favorites list.
Status: Deleted

Files detected
C:\WINDOWS\system32\ClickToFindandFixErrors_Intl.ico

Hopefully my logs have been helpful enough for you to analyze.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 19 February 2007 - 08:13 PM

Could you reboot and post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 26 February 2007 - 07:30 AM

Due to the lack of feedback this topic will be closed.
If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users