Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could Somebody Just Check This Log For Me, Thanks.


  • Please log in to reply
13 replies to this topic

#1 vodkaparrot

vodkaparrot

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 19 May 2007 - 05:05 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:59:48, on 19/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{52BBCE8C-8E39-46E1-B1DC-57E1D60DE370}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 22 May 2007 - 08:44 AM

Howdy vodkaparrot,


No infection showing here. I do notice you have posted these HijackThis review requests fairly consistently in recent months. Let's go ahead with a more detailed check of things for now. I also see you do not have the upgrade to XP SP2 there. As SP1 is no longer supported by MS and no updates are being provided your system is very vulnerable to some serious infections as is.


Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


Post back that log and a new HijackThis log please.
Ad eundum quo no duck ante iit

#3 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 May 2007 - 11:32 AM

Hi Jintan

Here is the log you requested. I am aware of the limitation of XP without XP SP2 and itís updates but I have had some hellish problems in the past with SP2 and every time I tried to run some programs I use quite regularly (non commercial stuff I need for work) my system crashes so Iím afraid its XP SP1 for the time being until the company I work for get their people to sort out the bugs in the software and make it SP2 compatible.

Thanks



"XPP" - 2007-05-22 17:23:50 Service Pack 1
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\XPP\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\14_43260.dll
C:\WINDOWS\system32\28_83260.dll
C:\Program Files\Common Files\{B8695~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-07 12:44 <DIR> d-------- C:\Program Files\QuickTime
2007-04-23 22:33 <DIR> d-------- C:\Program Files\iTunes
2007-04-22 09:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-22 09:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 16:25:52 -------- d-----w C:\Program Files\PeerGuardian2
2007-05-21 22:07:36 -------- d-----w C:\Program Files\SpywareBlaster
2007-05-21 08:10:05 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000E-00001102-00000004-10021102}.dat
2007-05-21 08:10:05 288 ----a-w C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000E-00001102-00000004-10021102}.dat
2007-05-20 02:09:43 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\Skype
2007-05-20 01:07:47 -------- d-----w C:\Program Files\eMule
2007-05-19 23:36:09 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\.BitTornado
2007-05-10 14:28:30 -------- d-----w C:\Program Files\MSN Messenger
2007-04-23 21:33:39 -------- d-----w C:\Program Files\iPod
2007-04-23 21:33:09 -------- d-----w C:\Program Files\Apple Software Update
2007-04-22 08:03:51 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\Lavasoft
2007-04-21 08:42:37 -------- d-----w C:\Program Files\Skype
2007-04-21 08:42:37 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-21 07:51:38 2,977 ----a-w C:\WINDOWS\mozver.dat
2007-04-14 00:37:32 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\MSN6
2007-04-11 16:00:36 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\Ulead Systems
2007-04-11 15:59:06 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-11 15:59:06 -------- d-----w C:\Program Files\Ulead Systems
2007-04-11 15:58:31 -------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-04-11 15:42:01 -------- d-----w C:\Program Files\Fx MPEG Writer
2007-04-11 15:32:05 -------- d-----w C:\Program Files\DVDStyler
2007-04-11 15:14:13 -------- d-----w C:\Program Files\Windows Media Components
2007-04-11 15:13:40 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-01 20:58:24 -------- d-----w C:\Program Files\Microsoft Games
2007-03-26 11:30:58 -------- d-----w C:\DOCUME~1\XPP\APPLIC~1\Microsoft Games
2007-03-23 21:16:05 38 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-24 12:27:58 342,536 ----a-w C:\WINDOWS\g.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll [2006-01-17 17:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2002-09-03 03:55 C:\WINDOWS\system32\CTHELPER.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 17:22]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe" [2005-10-26 17:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 13:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

*Newly Created Service* -PROCEXP90


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070513-203900-309
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20070507-142931-229
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20070421-090248-877
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe

backup-20070421-090248-959
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20061004-171004-274
O4 - Startup: .protected

backup-20061004-071618-547
O4 - Startup: .protected

backup-20061003-193542-367
O4 - Startup: .protected

backup-20061003-192723-966
O4 - Startup: .protected

backup-20061003-192628-320
O2 - BHO: (no name) - {E0CD4C14-9340-4E1E-8827-1EA00B23E32C} - C:\WINDOWS\System32\mljjg.dll (file missing)

backup-20061003-192628-769
O4 - Startup: .protected

backup-20061003-093150-683
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20061003-093150-632
O2 - BHO: (no name) - {1771575D-E270-C3B4-E35B-004D70CE773F} - C:\WINDOWS\System32\vkvzcsj.dll

backup-20061003-093150-474
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\System32\iqkrtygi.dll (file missing)

backup-20061003-093150-869
O4 - HKLM\..\Run: [rvykmwe.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rvykmwe.dll,oqjpssd

backup-20061003-093150-528
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Contents of the 'Scheduled Tasks' folder
2007-05-21 11:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 17:25:46
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 17:26:15
C:\ComboFix-quarantined-files.txt ... 2007-05-22 17:26

--- E O F ---

#4 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 22 May 2007 - 11:34 AM

And here is the new HJT log.....

Logfile of HijackThis v1.99.1
Scan saved at 17:29:47, on 22/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{52BBCE8C-8E39-46E1-B1DC-57E1D60DE370}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#5 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 22 May 2007 - 04:30 PM

Good, that removed some unseen unwanteds. Let's check a questionable file there, and get in a solid complete scan now.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then Go to this SITE. Click on the Browse button, and navigate to the following hilighted file(s), upload and "Send" it. Copy the results with the notepad and copy/paste them back here.

C:\WINDOWS\g.dll



And disable your antivirus program and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here, along with the file scan results please.
Ad eundum quo no duck ante iit

#6 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 24 May 2007 - 02:28 AM

Here are the logs....

Complete scanning result of "g.dll", received in VirusTotal at 05.23.2007, 19:00:50 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.23.2007 no virus found
AntiVir 7.4.0.27 05.23.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.23.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.23.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.23.2007 no virus found
eSafe 7.0.15.0 05.21.2007 no virus found
eTrust-Vet 30.7.3655 05.23.2007 no virus found
Ewido 4.0 05.23.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.23.2007 suspicious
F-Prot 4.3.2.48 05.23.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 no virus found
Ikarus T3.1.1.8 05.23.2007 Trojan.Win32.Agent.rw
Kaspersky 4.0.2.24 05.23.2007 no virus found
McAfee 5037 05.23.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2287 05.23.2007 no virus found
Norman 5.80.02 05.23.2007 no virus found
Panda 9.0.0.4 05.23.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.23.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.121 05.23.2007 no virus found
VBA32 3.12.0 05.22.2007 no virus found
VirusBuster 4.3.23:9 05.23.2007 no virus found
Webwasher-Gateway 6.0.1 05.23.2007 Win32.Malware.gen (suspicious)

Aditional Information
File size: 342536 bytes
MD5: 7c2d081464877742eb804e4db32091ac
SHA1: 517df50f60e0fe77d8a71f74af83dbfab913f733
packers: UPX
packers: UPX
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.






BitDefender Online Scanner







Scan report generated at: Thu, May 24, 2007 - 02:38:58









Scan path: A:\;C:\;D:\;E:\;F:\;G:\;















Statistics

Time


02:28:48

Files


1190435

Folders


6555

Boot Sectors


2

Archives


3779

Packed Files


162000







Results

Identified Viruses


1

Infected Files


1

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


1







Engines Info

Virus Definitions


508118

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe=>wise0008


Infected with: Trojan.Downloader.TSUpdate.J

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe=>wise0008


Deleted

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe


Update failed

#7 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 24 May 2007 - 12:09 PM

Looks like BitDefender only located one item, but felt that the downloader mechanism used by the following file identified it as infection. I don't recognize the file name so don't know what it might have been associated with.

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe


We'll need to assess that g.dll file further before suggesting it's removal.



Download this program and unzip it to your desktop:

submit files packer

http://www.safer-networking.org/files/sfp.zip


Highlight the files listed below in bold and right-click and selecting copy.

C:\WINDOWS\g.dll

Then start the file packer program (sfp.exe) and right click in the white box and select paste to paste the copied file names in the field.

Press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example vodkaparrot.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Then locate the g.dll file again, right click it and Rename it by adding .old to it (g.dll becomes g.dll.old). This is just a precaution until more is known.



Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.


To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Ad eundum quo no duck ante iit

#8 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 25 May 2007 - 01:53 AM

Done all that......



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 25, 2007 7:48:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 328644
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 56143
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:48:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\XPP\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\history.dat Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\key3.db Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\search.sqlite Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\call256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\callmember256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\chat512.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\index2.dat Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\profile256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\user1024.dbb Object is locked skipped
C:\Documents and Settings\XPP\Application Data\Skype\adam.gorst\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\XPP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\Working\database_B6B8_699A_B869_5A3F\dfsr.db Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\Working\database_B6B8_699A_B869_5A3F\fsr.log Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\Working\database_B6B8_699A_B869_5A3F\fsrtmp.log Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Messenger\agorst@hotmail.com\SharingMetadata\Working\database_B6B8_699A_B869_5A3F\tmp.edb Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Windows Live Contacts\agorst@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Microsoft\Windows Live Contacts\agorst@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Application Data\Mozilla\Firefox\Profiles\ary5qpu7.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\History\History.IE5\MSHist012007052420070525\index.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\History\History.IE5\MSHist012007052520070526\index.dat Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temp\~DFA90D.tmp Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temp\~DFA912.tmp Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temp\~DFAEF2.tmp Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temp\~DFAEF7.tmp Object is locked skipped
C:\Documents and Settings\XPP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\XPP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\XPP\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\SmitfraudFix\Help\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\Help\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\{00000000-00000000-0000000E-00001102-00000004-10021102}.CDF Object is locked skipped

Scan process completed.

#9 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 25 May 2007 - 10:04 AM

What company software has the "bugs" you mention that would interfere with SP2 upgrading? Without it, and throwing the use of those P2P softwares there, this system will always be infected. Vulnerable like it is currently, at some point may experience the kind of infection and changes from that that will only allow reinstallation as a solution. looks like it has a serious enough infection history showing in the logs here, with Vundo and possible past SmitFraud.


I received that g.dll you submitted. It pretends to be Microsoft's comp.exe file comparison tool, but is the wrong type, too large, not a true .dll or even a working executable as is, and includes some mechanisms to cause an analysis to fail. I may have additional info on it with a bit more effort, but for now leave the file renamed to keep it neutral.


Kaspersky again located the same file BitDefender did, though I am surprised it remained, as BitDefender is a scan tool that attempts to modify infected files (which shows as failed in the partial log from it you posted) then deletes those it cannot repair. Do you recognize this file?

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
Ad eundum quo no duck ante iit

#10 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 May 2007 - 03:12 AM

I work for a large company and the software I use is for admin work for them when Iím at home. (Itís called ĎPORTALí) which probably means nothing to you as its in house software. I know the system gets infected but as I say not much I can do about it, I usually do a complete reinstall of Windows about every 6 months but I havenít done one for a while as my wife is playing a game on the system and doesnít want to lose her place. LOL

I donít recognise the filename.

C:\Documents and Settings\XPP\99_ncontext_4_0_3_7.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped

#11 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 May 2007 - 03:14 AM

Please don't bust a gut trying to help with this, I know it's not going to be clean for long I just want it to be operational until I next do a reinstall.

Thanks for all you help,

#12 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 26 May 2007 - 08:53 AM

We do work on bringing the systems in these requests to optimum standards, when possible. Often this time is the individual's only chance to get a thorough review and solid advice to get their computers to where they would want them anyway. But only advice, so all decisions remain with the computer users for sure. One thing that you might run into is that any future infection problems, if the system stays without upgrades, is perhaps some difficulty in getting another opportunity for a repeat cleaning. But if you accept the periodic reinstalls then you would have that solution at hand.

Not seeing much more than these two unknown files at this time. Both are seriously suspect (especially g.dll) and should at least be and stay renamed to check if that impacts any other functions. If time passes and no issues occur then they can be deleted. Because there may be some ties between them and some software use there I am not up to speed on I wouldn't suggest much more than that with them.
Ad eundum quo no duck ante iit

#13 vodkaparrot

vodkaparrot
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 May 2007 - 10:27 AM

Well thanks for your help with this, I'm not trying to be difficult it's just that I need to work from home and I can only use what my company provides, eventually they will sort this out but for now I just have to work around it.

All the best

VP

#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 26 May 2007 - 04:32 PM

Be well.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users