Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bho Keeps Coming Back


  • This topic is locked This topic is locked
11 replies to this topic

#1 EBurritt

EBurritt

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 16 April 2007 - 02:26 PM

I am having trouble getting rid of this BHO object.
Everytime I manage to remove the dll and the BHO registry entry it comes back under a different name.
I have run Spybot, AdAware and Trend Micro AV.
Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 3:17:14 PM, on 04/16/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\EWE594.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThes.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {69f07d1b-f8cd-4a36-8be1-9078121ccff8} - C:\WINDOWS\system32\csccfg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://hcasrv1.hca.local:4343/officescan/c...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://hcasrv1.hca.local:4343/officescan/c...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://hcasrv1.hca.local:4343/officescan/c.../RemoveCtrl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 18 April 2007 - 09:21 PM

Hello EBurritt,

I am SifuMike and I will be helping you. :thumbsup:

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

******************

Download ATF (Atribune Temp File) CleanerŠ by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 23 April 2007 - 08:08 PM

Thanks for the assistance SifuMike.

A short update: I removed the latest BHO by having the offending dll removed after rebooting and removing the entry using HJT. The computer ran good for three days, after which another bho appeared under a different name and it began downloading trojans. Trend Micro VS appeared to quarantine them as they appeared. Here are some that were caught today:

TROJ_BHO.CM
WORM_NUWAR.AOO
TROJ_YAYIN..A
TROJ_CLICKER.PX
TROJ_AGENT.PVC
TSPY_SINOWAL.NAJ
TROJ_AGENT.PTV
TROJ_AGENT.NWL

All of these appeared and were quarantined by real time scan shortly after the bho appeared.

Also, I had a bit of trouble finding the ATF Cleaner, the link did not work, but I did find a copy somewhere else.

Under normal circumstances I would have just erased the computer and reloaded the software but this computer has a few apps on it that were difficult to get up and running. That is why I have been putting all the effort into trying to get it cleaned.

Here are the logs:

BitDefender Online Scanner

Scan report generated at: Mon, Apr 23, 2007 - 18:14:38

Scan path: A:\;C:\;D:\;

Statistics

Time
01:00:30

Files
426677

Folders
3329

Boot Sectors
4

Archives
12358

Packed Files
44626

Results

Identified Viruses
4

Infected Files
6

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
8




Engines Info

Virus Definitions
487538

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPQFGTIJ\cent[1].exe
Infected with: Trojan.Peed.Gen

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPQFGTIJ\cent[1].exe
Disinfection failed

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPQFGTIJ\cent[1].exe
Deleted

C:\ie_updater.exe
Infected with: Trojan.Downloader.Delf.AIV

C:\ie_updater.exe
Disinfection failed

C:\ie_updater.exe
Deleted

C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vptray.exe=>(Quarantine-4)
Infected with: Trojan.AVKiller.Agent.E

C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vptray.exe=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\OfficeScan Client\Suspect\vptray.exe=>(Quarantine-4)
Deleted

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000007.dll=>(Quarantine-4)
Infected with: Trojan.Downloader.Agent.XZV

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000007.dll=>(Quarantine-4)
Disinfection failed

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000007.dll=>(Quarantine-4)
Deleted

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009954.exe
Infected with: Trojan.Downloader.Delf.AIV

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009954.exe
Disinfection failed

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009954.exe
Deleted

C:\WINDOWS\SYSTEM32\cent.exe
Infected with: Trojan.Peed.Gen

C:\WINDOWS\SYSTEM32\cent.exe
Disinfection failed

C:\WINDOWS\SYSTEM32\cent.exe
Deleted


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:39:59 PM 4/23/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009964.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009962.exe -> Not-A-Virus.Hoax.Win32.Renos.hm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0004804.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\windev-6c7d-4382.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned with backup (quarantined).
:mozilla.10:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.34:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.35:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Addynamix : Cleaned.
:mozilla.375:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Adobe : Cleaned.
:mozilla.376:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Adobe : Cleaned.
:mozilla.338:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.339:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.395:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.396:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Burstnet : Cleaned.
:mozilla.93:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Burstnet : Cleaned.
:mozilla.98:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Centrport : Cleaned.
:mozilla.105:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Com : Cleaned.
:mozilla.106:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Com : Cleaned.
:mozilla.116:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Esomniture : Cleaned.
:mozilla.57:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Falkag : Cleaned.
:mozilla.145:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.416:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.417:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.418:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.164:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.165:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.352:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Liveperson : Cleaned.
:mozilla.353:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Liveperson : Cleaned.
:mozilla.354:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Liveperson : Cleaned.
:mozilla.355:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Liveperson : Cleaned.
:mozilla.356:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Liveperson : Cleaned.
:mozilla.324:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Matchcraft : Cleaned.
:mozilla.325:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Matchcraft : Cleaned.
:mozilla.326:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Matchcraft : Cleaned.
:mozilla.251:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Netflame : Cleaned.
:mozilla.359:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Onestat : Cleaned.
:mozilla.360:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Onestat : Cleaned.
:mozilla.221:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Overture : Cleaned.
:mozilla.222:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Overture : Cleaned.
:mozilla.224:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Overture : Cleaned.
:mozilla.442:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Paypal : Cleaned.
:mozilla.48:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Pointroll : Cleaned.
:mozilla.49:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Pointroll : Cleaned.
:mozilla.50:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Pointroll : Cleaned.
:mozilla.51:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Pointroll : Cleaned.
:mozilla.229:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.230:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Realmedia : Cleaned.
:mozilla.231:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Realmedia : Cleaned.
:mozilla.232:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Realmedia : Cleaned.
:mozilla.233:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Realmedia : Cleaned.
:mozilla.236:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Revsci : Cleaned.
:mozilla.237:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Revsci : Cleaned.
:mozilla.120:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Ru4 : Cleaned.
:mozilla.121:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Ru4 : Cleaned.
:mozilla.122:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Ru4 : Cleaned.
:mozilla.123:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Ru4 : Cleaned.
:mozilla.124:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Ru4 : Cleaned.
:mozilla.243:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.244:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.245:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.246:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.333:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.42:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Specificclick : Cleaned.
:mozilla.43:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Specificclick : Cleaned.
:mozilla.44:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Specificclick : Cleaned.
:mozilla.45:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Specificclick : Cleaned.
:mozilla.46:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Specificclick : Cleaned.
:mozilla.259:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.260:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.261:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.262:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.263:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.264:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.265:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.266:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.318:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.319:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.320:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.321:C:\WINDOWS\CSC\d7\8000042E -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\A0009966.dll -> Trojan.BHO.o : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 8:45:53 PM, on 04/23/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\CSDFF.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThes.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - IntelŽ Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Edited by EBurritt, 23 April 2007 - 08:11 PM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 23 April 2007 - 10:25 PM

Hi EBurritt,

A short update: I removed the latest BHO by having the offending dll removed after rebooting and removing the entry using HJT. The computer ran good for three days, after which another bho appeared under a different name and it began downloading trojans.



Sounds like you did not remove the malware or you go reinfected. :thumbsup:
If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\TEMP\CSDFF.EXE

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minuites to reply.
You can copy/paste the results of scan results here.

*******************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 23 April 2007 - 10:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 24 April 2007 - 08:46 AM

Good day to you SifuMike,

I checked on the computer and there is not a file named CSDFF.EXE in the Windows\temp folder.
After doing a search for the file all that comes up is a csdff.exe-345734F8.pf in windows\prefetch.

Do I still run combofix without completing the first step you requested?

#6 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 24 April 2007 - 08:55 AM

Good day again SifuMike,

I checked the running processes and found that CSDFF.EXE is no longer running but there is a file called NR2E53.EXE located in Windows\Temp and it is now running as a process. I submitted that file to virustotal.

The results should be back shortly.

#7 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 24 April 2007 - 11:21 AM

Here are the results.

Complete scanning result of "NR2E53.EXE", received in VirusTotal at 04.24.2007, 15:47:56 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.25.0 04.24.2007 no virus found
AntiVir 7.4.0.14 04.24.2007 no virus found
Authentium 4.93.8 04.23.2007 no virus found
Avast 4.7.981.0 04.23.2007 no virus found
AVG 7.5.0.464 04.23.2007 no virus found
BitDefender 7.2 04.24.2007 no virus found
CAT-QuickHeal 9.00 04.23.2007 no virus found
ClamAV devel-20070416 04.24.2007 no virus found
DrWeb 4.33 04.24.2007 no virus found
eSafe 7.0.15.0 04.23.2007 no virus found
eTrust-Vet 30.7.3592 04.24.2007 no virus found
Ewido 4.0 04.24.2007 no virus found
FileAdvisor 1 04.24.2007 No threat detected
Fortinet 2.85.0.0 04.24.2007 no virus found
F-Prot 4.3.2.48 04.24.2007 no virus found
F-Secure 6.70.13030.0 04.24.2007 no virus found
Ikarus T3.1.1.5 04.24.2007 no virus found
Kaspersky 4.0.2.24 04.24.2007 no virus found
McAfee 5015 04.23.2007 no virus found
Microsoft 1.2405 04.24.2007 no virus found
NOD32v2 2215 04.24.2007 no virus found
Norman 5.80.02 04.24.2007 no virus found
Panda 9.0.0.4 04.23.2007 no virus found
Prevx1 V2 04.24.2007 no virus found
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.24.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.23.2007 no virus found
VirusBuster 4.3.7:9 04.24.2007 no virus found
Webwasher-Gateway 6.0.1 04.24.2007 no virus found


Aditional Information
File size: 172099 bytes
MD5: 3d4a3262f183d37dcc975d933dd732fe
SHA1: 3247311c21078002cf1a635d8d2b7bce7ee0a38e
Bit9 info: http://fileadvisor.bit9.com/services/extin...c975d933dd732fe

ComboFix 07-04-24.2V - Running from: "C:\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\winhp32.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\gb
-------\ldrsvc
-------\LEGACY_GB
-------\LEGACY_LDRSVC
-------\LEGACY_WINCOM32


((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))


2007-04-24 10:35 1,059,019 --a------ C:\ComboFix.exe
2007-04-23 19:19 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-04-23 17:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-16 14:49 <DIR> d-------- C:\Program Files\HJT
2007-04-14 16:43 <DIR> d-------- C:\backups
2007-04-14 16:42 1,308,216 --a------ C:\HiJackThis_v2.exe
2007-04-13 18:46 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-13 18:46 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-13 18:46 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-04-13 18:46 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-04-13 18:46 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-04-13 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-13 17:38 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-13 16:11 81,920 --a------ C:\WINDOWS\SYSTEM32\isign32.dll
2007-04-13 16:11 81,920 --a------ C:\WINDOWS\SYSTEM32\ils.dll
2007-04-13 16:11 73,728 --a------ C:\WINDOWS\SYSTEM32\icwdial.dll
2007-04-13 16:11 73,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sr.sys
2007-04-13 16:11 69,632 --a------ C:\WINDOWS\SYSTEM32\msconf.dll
2007-04-13 16:11 679,424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-04-13 16:11 67,584 --a------ C:\WINDOWS\SYSTEM32\srclient.dll
2007-04-13 16:11 65,536 --a------ C:\WINDOWS\SYSTEM32\icwphbk.dll
2007-04-13 16:11 48,128 --a------ C:\WINDOWS\SYSTEM32\inetres.dll
2007-04-13 16:11 45,568 --a------ C:\WINDOWS\SYSTEM32\safrslv.dll
2007-04-13 16:11 43,520 --a------ C:\WINDOWS\SYSTEM32\safrcdlg.dll
2007-04-13 16:11 43,520 --a------ C:\WINDOWS\SYSTEM32\racpldlg.dll
2007-04-13 16:11 382,464 --a------ C:\WINDOWS\SYSTEM32\qmgr.dll
2007-04-13 16:11 34,560 --a------ C:\WINDOWS\SYSTEM32\mnmdd.dll
2007-04-13 16:11 32,768 --a------ C:\WINDOWS\SYSTEM32\mnmsrvc.exe
2007-04-13 16:11 32,768 --a------ C:\WINDOWS\SYSTEM32\isrdbg32.dll
2007-04-13 16:11 29,696 --a------ C:\WINDOWS\SYSTEM32\safrdm.dll
2007-04-13 16:11 28,672 --a------ C:\WINDOWS\SYSTEM32\nmmkcert.dll
2007-04-13 16:11 274,944 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2007-04-13 16:11 274,432 --a------ C:\WINDOWS\SYSTEM32\inetcfg.dll
2007-04-13 16:11 252,928 --a------ C:\WINDOWS\SYSTEM32\msoeacct.dll
2007-04-13 16:11 239,104 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2007-04-13 16:11 190,976 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2007-04-13 16:11 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-04-13 16:11 170,496 --a------ C:\WINDOWS\SYSTEM32\srsvc.dll
2007-04-13 16:11 12,288 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2007-04-13 16:11 105,984 --a------ C:\WINDOWS\SYSTEM32\msoert2.dll
2007-04-13 16:09 97,792 --a------ C:\WINDOWS\SYSTEM32\comrepl.dll
2007-04-13 16:09 956,416 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2007-04-13 16:09 93,696 --a------ C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2007-04-13 16:09 91,136 --a------ C:\WINDOWS\SYSTEM32\mtxoci.dll
2007-04-13 16:09 87,176 --a------ C:\WINDOWS\SYSTEM32\rdpwsx.dll
2007-04-13 16:09 85,504 --a------ C:\WINDOWS\SYSTEM32\catsrvps.dll
2007-04-13 16:09 8,704 --a------ C:\WINDOWS\SYSTEM32\fxsperf.dll
2007-04-13 16:09 72,192 --a------ C:\WINDOWS\SYSTEM32\fxscom.dll
2007-04-13 16:09 67,072 --a------ C:\WINDOWS\SYSTEM32\rdshost.exe
2007-04-13 16:09 655,360 --a------ C:\WINDOWS\SYSTEM32\mstscax.dll
2007-04-13 16:09 625,152 --a------ C:\WINDOWS\SYSTEM32\catsrvut.dll
2007-04-13 16:09 62,464 --a------ C:\WINDOWS\SYSTEM32\rdpclip.exe
2007-04-13 16:09 60,416 --a------ C:\WINDOWS\SYSTEM32\remotepg.dll
2007-04-13 16:09 60,416 --a------ C:\WINDOWS\SYSTEM32\colbact.dll
2007-04-13 16:09 6,656 --a------ C:\WINDOWS\SYSTEM32\wuauserv.dll
2007-04-13 16:09 6,656 --a------ C:\WINDOWS\SYSTEM32\fxsres.dll
2007-04-13 16:09 6,144 --a------ C:\WINDOWS\SYSTEM32\msdtc.exe
2007-04-13 16:09 58,880 --a------ C:\WINDOWS\SYSTEM32\msdtclog.dll
2007-04-13 16:09 58,880 --a------ C:\WINDOWS\SYSTEM32\licwmi.dll
2007-04-13 16:09 562,176 --a------ C:\WINDOWS\SYSTEM32\fxsst.dll
2007-04-13 16:09 56,320 --a------ C:\WINDOWS\SYSTEM32\servdeps.dll
2007-04-13 16:09 55,296 --a------ C:\WINDOWS\SYSTEM32\fxsevent.dll
2007-04-13 16:09 540,160 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2007-04-13 16:09 538,624 --a------ C:\WINDOWS\SYSTEM32\spider.exe
2007-04-13 16:09 498,688 --a------ C:\WINDOWS\SYSTEM32\clbcatq.dll
2007-04-13 16:09 452,096 --a------ C:\WINDOWS\SYSTEM32\fxsapi.dll
2007-04-13 16:09 44,544 --a------ C:\WINDOWS\SYSTEM32\tscupgrd.exe
2007-04-13 16:09 426,496 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2007-04-13 16:09 407,552 --a------ C:\WINDOWS\SYSTEM32\mstsc.exe
2007-04-13 16:09 400,384 --a------ C:\WINDOWS\SYSTEM32\fxsxp32.dll
2007-04-13 16:09 397,312 --a------ C:\WINDOWS\SYSTEM32\fxstiff.dll
2007-04-13 16:09 38,912 --a------ C:\WINDOWS\SYSTEM32\cfgbkend.dll
2007-04-13 16:09 347,136 --a------ C:\WINDOWS\SYSTEM32\hypertrm.dll
2007-04-13 16:09 343,040 --a------ C:\WINDOWS\SYSTEM32\mspaint.exe
2007-04-13 16:09 295,424 --a------ C:\WINDOWS\SYSTEM32\termsrv.dll
2007-04-13 16:09 285,184 --a------ C:\WINDOWS\SYSTEM32\fxscomex.dll
2007-04-13 16:09 27,136 --a------ C:\WINDOWS\SYSTEM32\fxsdrv.dll
2007-04-13 16:09 267,776 --a------ C:\WINDOWS\SYSTEM32\fxssvc.exe
2007-04-13 16:09 246,272 --a------ C:\WINDOWS\SYSTEM32\fxst30.dll
2007-04-13 16:09 23,552 --a------ C:\WINDOWS\SYSTEM32\fxsmon.dll
2007-04-13 16:09 23,552 --a------ C:\WINDOWS\SYSTEM32\fxsext32.dll
2007-04-13 16:09 229,376 --a------ C:\WINDOWS\SYSTEM32\fxscover.exe
2007-04-13 16:09 225,792 --a------ C:\WINDOWS\SYSTEM32\catsrv.dll
2007-04-13 16:09 21,896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tdtcp.sys
2007-04-13 16:09 20,480 --a------ C:\WINDOWS\SYSTEM32\qprocess.exe
2007-04-13 16:09 192,512 --a------ C:\WINDOWS\SYSTEM32\fxswzrd.dll
2007-04-13 16:09 19,968 --a------ C:\WINDOWS\SYSTEM32\rdpsnd.dll
2007-04-13 16:09 185,344 --a------ C:\WINDOWS\SYSTEM32\cmprops.dll
2007-04-13 16:09 183,808 --a------ C:\WINDOWS\SYSTEM32\accwiz.exe
2007-04-13 16:09 17,408 --a------ C:\WINDOWS\SYSTEM32\mmfutil.dll
2007-04-13 16:09 161,280 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2007-04-13 16:09 154,112 --a------ C:\WINDOWS\SYSTEM32\fxsui.dll
2007-04-13 16:09 147,968 --a------ C:\WINDOWS\SYSTEM32\rdchost.dll
2007-04-13 16:09 143,360 --a------ C:\WINDOWS\SYSTEM32\fxsclnt.exe
2007-04-13 16:09 140,800 --a------ C:\WINDOWS\SYSTEM32\sessmgr.exe
2007-04-13 16:09 139,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
2007-04-13 16:09 131,584 --a------ C:\WINDOWS\SYSTEM32\sndrec32.exe
2007-04-13 16:09 13,824 --a------ C:\WINDOWS\SYSTEM32\rdsaddin.exe
2007-04-13 16:09 124,184 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-04-13 16:09 123,392 --a------ C:\WINDOWS\SYSTEM32\mplay32.exe
2007-04-13 16:09 12,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tdpipe.sys
2007-04-13 16:09 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2007-04-13 16:09 11,776 --a------ C:\WINDOWS\SYSTEM32\xolehlp.dll
2007-04-13 16:09 11,264 --a------ C:\WINDOWS\SYSTEM32\icaapi.dll
2007-04-13 16:09 102,912 --a------ C:\WINDOWS\SYSTEM32\clipbrd.exe
2007-04-13 16:09 1,343,768 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-04-13 16:09 1,267,200 --a------ C:\WINDOWS\SYSTEM32\comsvcs.dll
2007-04-13 16:08 6,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
2007-04-13 16:08 52,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmusic.sys
2007-04-13 16:07 57,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2007-04-13 16:05 4,096 --a------ C:\WINDOWS\SYSTEM32\ksuser.dll
2007-04-13 16:04 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2007-04-13 16:04 196,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2007-04-13 16:02 74,752 --a------ C:\WINDOWS\SYSTEM32\storprop.dll
2007-04-13 16:02 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-04-13 16:02 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-04-13 16:02 11,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\irenum.sys
2007-04-13 11:39 <DIR> d-------- C:\Program Files\F-Group
2007-04-12 19:39 95,424 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnthal.sys
2007-04-12 19:39 9,728 --------- C:\WINDOWS\SYSTEM32\comsdupd.exe
2007-04-12 19:39 870,784 --a------ C:\WINDOWS\SYSTEM32\ati3d1ag.dll
2007-04-12 19:39 86,016 --------- C:\WINDOWS\SYSTEM32\mdmxsdk.dll
2007-04-12 19:39 78,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usbvideo.sys
2007-04-12 19:39 73,832 --------- C:\WINDOWS\SYSTEM32\slcoinst.dll
2007-04-12 19:39 73,796 --------- C:\WINDOWS\SYSTEM32\slserv.exe
2007-04-12 19:39 73,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atintuxx.sys
2007-04-12 19:39 685,056 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfcxts2.sys
2007-04-12 19:39 63,663 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1rvxx.sys
2007-04-12 19:39 63,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinxsxx.sys
2007-04-12 19:39 59,648 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rfcomm.sys
2007-04-12 19:39 57,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinbtxx.sys
2007-04-12 19:39 56,623 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1btxx.sys
2007-04-12 19:39 52,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys
2007-04-12 19:39 46,464 --------- C:\WINDOWS\SYSTEM32\DRIVERS\gagp30kx.sys
2007-04-12 19:39 452,736 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtxparhm.sys
2007-04-12 19:39 44,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\uagp35.sys
2007-04-12 19:39 404,990 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slntamr.sys
2007-04-12 19:39 40,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\irbus.sys
2007-04-12 19:39 4,255 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv01nt5.dll
2007-04-12 19:39 397,056 --------- C:\WINDOWS\SYSTEM32\s3gnb.dll
2007-04-12 19:39 38,016 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthmodem.sys
2007-04-12 19:39 377,984 --a------ C:\WINDOWS\SYSTEM32\ati2dvaa.dll
2007-04-12 19:39 36,463 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1tuxx.sys
2007-04-12 19:39 35,456 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthprint.sys
2007-04-12 19:39 34,735 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xsxx.sys
2007-04-12 19:39 327,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2007-04-12 19:39 32,866 --------- C:\WINDOWS\SYSTEM32\slrundll.exe
2007-04-12 19:39 32,866 --------- C:\WINDOWS\slrundll.exe
2007-04-12 19:39 32,768 --------- C:\WINDOWS\SYSTEM32\ativtmxx.dll
2007-04-12 19:39 32,285 --------- C:\WINDOWS\SYSTEM32\hsfcisp2.dll
2007-04-12 19:39 31,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinxbxx.sys
2007-04-12 19:39 30,671 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1raxx.sys
2007-04-12 19:39 30,080 --------- C:\WINDOWS\SYSTEM32\DRIVERS\rndismpx.sys
2007-04-12 19:39 3,967 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv02nt5.dll
2007-04-12 19:39 3,901 --------- C:\WINDOWS\SYSTEM32\DRIVERS\siint5.dll
2007-04-12 19:39 3,775 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv11nt5.dll
2007-04-12 19:39 3,711 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv09nt5.dll
2007-04-12 19:39 3,647 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv07nt5.dll
2007-04-12 19:39 3,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv05nt5.dll
2007-04-12 19:39 3,135 --------- C:\WINDOWS\SYSTEM32\DRIVERS\adv08nt5.dll
2007-04-12 19:39 29,455 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1xbxx.sys
2007-04-12 19:39 286,792 --------- C:\WINDOWS\SYSTEM32\slextspk.dll
2007-04-12 19:39 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinsnxx.sys
2007-04-12 19:39 274,304 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2007-04-12 19:39 26,367 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1snxx.sys
2007-04-12 19:39 25,600 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hidbth.sys
2007-04-12 19:39 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv10nt.sys
2007-04-12 19:39 25,471 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv04nt5.dll
2007-04-12 19:39 220,032 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfbs2s2.sys
2007-04-12 19:39 22,271 --------- C:\WINDOWS\SYSTEM32\DRIVERS\watv06nt.sys
2007-04-12 19:39 21,343 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1ttxx.sys
2007-04-12 19:39 21,183 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv01nt5.dll
2007-04-12 19:39 188,508 --------- C:\WINDOWS\SYSTEM32\slgen.dll
2007-04-12 19:39 180,360 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ntmtlfax.sys
2007-04-12 19:39 18,944 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthusb.sys
2007-04-12 19:39 17,279 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv10nt5.dll
2007-04-12 19:39 17,024 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthenum.sys
2007-04-12 19:39 166,912 --------- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys
2007-04-12 19:39 15,423 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ch7xxnt5.dll
2007-04-12 19:39 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidir.sys
2007-04-12 19:39 14,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys
2007-04-12 19:39 14,143 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv06nt5.dll
2007-04-12 19:39 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinttxx.sys
2007-04-12 19:39 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys
2007-04-12 19:39 13,776 --------- C:\WINDOWS\SYSTEM32\DRIVERS\recagent.sys
2007-04-12 19:39 13,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wacompen.sys
2007-04-12 19:39 13,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slwdmsup.sys
2007-04-12 19:39 129,535 --------- C:\WINDOWS\SYSTEM32\DRIVERS\slnt7554.sys
2007-04-12 19:39 126,686 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlmnt5.sys
2007-04-12 19:39 12,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mutohpen.sys
2007-04-12 19:39 12,672 --------- C:\WINDOWS\SYSTEM32\DRIVERS\usb8023x.sys
2007-04-12 19:39 12,047 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1pdxx.sys
2007-04-12 19:39 11,935 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv11nt.sys
2007-04-12 19:39 11,871 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv09nt.sys
2007-04-12 19:39 11,868 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mdmxsdk.sys
2007-04-12 19:39 11,807 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv07nt.sys
2007-04-12 19:39 11,615 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati1mdxx.sys
2007-04-12 19:39 11,359 --------- C:\WINDOWS\SYSTEM32\DRIVERS\atv02nt5.dll
2007-04-12 19:39 11,325 --------- C:\WINDOWS\SYSTEM32\DRIVERS\vchnt5.dll
2007-04-12 19:39 11,295 --------- C:\WINDOWS\SYSTEM32\DRIVERS\wadv08nt.sys
2007-04-12 19:39 104,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys
2007-04-12 19:39 100,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthpan.sys
2007-04-12 19:39 1,737,856 --------- C:\WINDOWS\SYSTEM32\mtxparhd.dll
2007-04-12 19:39 1,309,184 --------- C:\WINDOWS\SYSTEM32\DRIVERS\mtlstrm.sys
2007-04-12 19:39 1,041,536 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hsfdpsp2.sys
2007-04-12 19:36 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-12 19:10 <DIR> d-------- C:\Program Files\RegCure
2007-04-10 16:53 <DIR> d---s---- C:\DOCUME~1\DeniseT\UserData
2007-04-10 16:49 <DIR> d-------- C:\DOCUME~1\DeniseT\APPLIC~1\Lavasoft
2007-04-10 16:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-10 16:18 <DIR> d-------- C:\WINDOWS\pss
2007-04-10 15:26 <DIR> d-------- C:\avenger
2007-04-10 15:18 60,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\yi^mpmc^.sys
2007-04-10 11:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-10 10:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-09 15:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-04-09 14:26 <DIR> d-------- C:\WINDOWS\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 15:49 -------- d-------- C:\Program Files\quicktime
2007-04-13 17:06 -------- d-------- C:\Program Files\windows nt
2007-04-13 17:06 -------- d-------- C:\Program Files\movie maker
2007-04-13 16:10 23428 --a------ C:\WINDOWS\SYSTEM32\emptyregdb.dat
2007-04-10 15:23 402 --a------ C:\Program Files\kbtajhol.txt
2007-03-21 07:07 -------- d-------- C:\Program Files\messenger
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""
"DisablePersonalDirChange"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-24 10:39:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-24 10:39:43
C:\ComboFix-quarantined-files.txt ... 07-04-24 10:39

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 24 April 2007 - 12:10 PM

Hello EBurritt,

Please post a fresh Hijackthis log and tell me how the computer is running. Are you still getting the same warnings from Trend Micro VS?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 24 April 2007 - 01:44 PM

Good Day SifuMike,

Thanks for the speedy response.
Here is a current log.

The user says that everything is running fine right now.
Looking at the AV server logs we havent had an infection since early this morning.
That was before I ran combofix.

I also found that the NR2E53 file was associated with Trend Micro VS.

Logfile of HijackThis v1.99.1
Scan saved at 2:34:49 PM, on 04/24/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\NR2E53.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Hijackthis\HijackThes.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://hcasrv1.hca.local:4343/officescan/c...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://hcasrv1.hca.local:4343/officescan/c...stall/setup.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://hcasrv1.hca.local:4343/officescan/c.../RemoveCtrl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - IntelŽ Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Edited by EBurritt, 24 April 2007 - 02:29 PM.


#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 24 April 2007 - 02:20 PM

Hi EBurritt,

Your log looks clean! :thumbsup:

Please read and follow How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 EBurritt

EBurritt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 24 April 2007 - 02:30 PM

Thanks for the help SifuMike.

I will keep an eye on it for the next few days just to make sure it stays gone this time.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 28 April 2007 - 02:46 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users