Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have A Serious Problem


  • This topic is locked This topic is locked
17 replies to this topic

#1 lamotia

lamotia

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 30 May 2007 - 02:46 PM

I don't know where this stuff came from but it's something really really hard to disinfect. I tried almost everything that I can think of - Norton Antivirus, Panda Online Scan, Kasperski, Dr. Web some other solutions that I came across when I started reading about the problem but nothing seems to help. They are detecting some stuff and disinfecting it but when the machine is whithout a firewall it starts to send spam to random emails again (Norton has detected that) In the end I installed ZoneAlarm and I saw that there are two new processes that start upon boot that are named with random numbers and their extension is .exe. I started checking what they were I cannot find where they are coming from. So without further talking here is my hijackthis log. I'll be very happy if someone can help me. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 22:31:02, on 30.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\medomir\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B2A2B3A-705F-4820-A85A-C9373BFA652B} - C:\WINDOWS\System32\awvts.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlexWord 2K.lnk = C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172396041250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 01 June 2007 - 01:10 PM

Hello lamotia,

I am SifuMike and I will be helping you. :thumbsup:

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

******************


Reboot to Normal Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log, the VundoFix log and a fresh [b]Hijackthis
log. If these logs are long, you may have to do this with seperate posts

Edited by SifuMike, 01 June 2007 - 01:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 04:49 AM

Hi SifuMike, thanks for your help so far. I did everything exactly as you told me and here are the logs that you've requested.

BitDefender Online Scanner - Real Time Virus Report

Generated at: Sat, Jun 02, 2007 - 02:43:42

Scan Info

Scanned Files
305314

Infected Files
13

Virus Detected

Trojan.Rootkit.Ntrootkit.F
3

Trojan.Spy.HTML.Bankfraud.CM
4

Win32.Sober.Y@mm
3

Trojan.Downloader.Gen
1

Rootkit.Agent.DP
2

Here is the AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:14:41 02.06.2007

+ Scan result:



C:\Program Files\M3 GAME Manager\gamesave\bank.dat -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Windows update loader -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Windows update loader -> Adware.RogueSuspect : Error during cleaning.
D:\_Software\ACDSee 3.0\TNT-ACD3.ZIP/TNT-ACDSee.v3.0.b1209_CRK.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined).
D:\_Software\ACDSee 3.0\TNT-ACD3\TNT-ACDSee.v3.0.b1209_CRK.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\Program Files\iolo\System Mechanic 5 Professional\Search and Recover\streamserver.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ksys.sys -> Rootkit.NtRootKit : Cleaned with backup (quarantined).


::Report end

#4 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 04:50 AM

VundoFix.exe was unable to find anything so there is no log. And here is the Hijackthis fresh one:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:18, on 02.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\medomir\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B2A2B3A-705F-4820-A85A-C9373BFA652B} - C:\WINDOWS\System32\awvts.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlexWord 2K.lnk = C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172396041250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 04:58 AM

In result ZoneAlarm stopped detecting those executables named with random numbers but something else occurred. When I rebooted back to normal mode trying to fix Vundo there was some internet activity that ZoneAlarm detected. It was strange because I was not doing anything that would suggest internet usage. I checked ZoneAlarm and it said that IE is currently running and IE is responsible for the traffic. At the time IE was not opened in any way. Can this mean that I'm still infected and the thing that I'm infected with is trying to regain control again?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 02 June 2007 - 12:13 PM

Hello lamotia,

In result ZoneAlarm stopped detecting those executables named with random numbers but something else occurred. When I rebooted back to normal mode trying to fix Vundo there was some internet activity that ZoneAlarm detected. It was strange because I was not doing anything that would suggest internet usage. I checked ZoneAlarm and it said that IE is currently running and IE is responsible for the traffic. At the time IE was not opened in any way. Can this mean that I'm still infected and the thing that I'm infected with is trying to regain control again?



It may be the rootkit causing this.

I need to see the entire VundoFix log even if it did not find anything. It may give me a clue as to what is going on.

Also, you only posted the top portion of the BitDefender log. I need to see the entire log.
It found a rootkit (Trojan.Rootkit.Ntrootkit.F) and I dont know if it deleted it and the rest of the malware it found.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {2B2A2B3A-705F-4820-A85A-C9373BFA652B} - C:\WINDOWS\System32\awvts.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


If you did not add these pages to your trusted pages, they should be fixed.
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)


O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer


Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a log file will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)


Finally, post the Rootchk log, a new Hijackthis log, the BitDefender log, the VundoFix log.

Edited by SifuMike, 02 June 2007 - 12:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 02:16 PM

rootchk log


********************************* ROOTCHK-(29-05-07b)-LOG, by ejvindh
02.06.2007 21:59:05.09

Driver EXAMPLE (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver NDnet1 (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver RpcApi (visible) is present. Run COMBOFIX by sUBs.
Driver Runtime (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver Runtime2 (hidden) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver nm (visible) is present. Run COMBOFIX by sUBs.

********************************* ROOTCHK-LOG-end

VundoFix log


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 12:21:15 02.06.2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 21:30:37 02.06.2007

Listing files found while scanning....

No infected files were found.

New Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 22:11:09, on 02.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\medomir\Desktop\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlexWord 2K.lnk = C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172396041250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 02:17 PM

I'm currently running BitDefender again because that was all of the log it got me the last time. I'll see if anything new shows up and I'll post it here.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 02 June 2007 - 02:21 PM

Hi lamotia,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 02 June 2007 - 02:28 PM

I'm currently running BitDefender again because that was all of the log it got me the last time. I'll see if anything new shows up and I'll post it here.


This is how a BitDefener Online Scanner looks. I shows what it deleted and the locations.

BitDefender Online Scanner
Scan report generated at: Fri, May 12, 2006 - 00:57:30
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;
Statistics

Time
01:59:43
Files
555455
Folders
5370
Boot Sectors
3
Archives
88848
Packed Files
47287
Results
Identified Viruses
7
Infected Files
44
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
47
Engines Info
Virus Definitions
474438
Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Scan plugins
13
Archive plugins
40
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Program Files\Norton AntiVirus\Quarantine\025A61B7
Infected with: Win32.Mydoom.A@mm.damaged

C:\Program Files\Norton AntiVirus\Quarantine\025A61B7

Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\025A61B7
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\03864C5D
Infected with: Win32.Netsky.P@mm

C:\Program Files\Norton AntiVirus\Quarantine\03864C5D
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\03D44EFC
Infected with: Win32.Netsky.C@mm

C:\Program Files\Norton AntiVirus\Quarantine\03D44EFC
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\049E445F
Infected with: Win32.Mydoom.A@mm.damaged

C:\Program Files\Norton AntiVirus\Quarantine\049E445F
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\049E445F


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\04BB71B1


Infected with: Win32.Mydoom.A@mm.damaged

C:\Program Files\Norton AntiVirus\Quarantine\04BB71B1


Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\04BB71B1


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0932691D


Infected with: Win32.Netsky.B@mm

C:\Program Files\Norton AntiVirus\Quarantine\0932691D


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0AB36A43


Infected with: Win32.Netsky.C@mm

C:\Program Files\Norton AntiVirus\Quarantine\0AB36A43


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0CAB2E64


Infected with: Win32.Netsky.C@mm

C:\Program Files\Norton AntiVirus\Quarantine\0CAB2E64


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0D9214E1


Infected with: Win32.Netsky.B@mm

C:\Program Files\Norton AntiVirus\Quarantine\0D9214E1


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0DB662B9


Infected with: Win32.Netsky.C@mm

C:\Program Files\Norton AntiVirus\Quarantine\0DB662B9


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1A08729D


Infected with: Win32.Netsky.B@mm

C:\Program Files\Norton AntiVirus\Quarantine\1A08729D


Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1F8704FA


Infected with: Win32.Netsky.P@mm

C:\Program Files\Norton AntiVirus\Quarantine\1F8704FA


Deleted


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 07:03 PM

here is the complete BitDefender log

BitDefender Online Scanner

Scan report generated at: Sat, Jun 02, 2007 - 23:55:03

Scan path: A:\;C:\;D:\;G:\;


Statistics

Time


01:40:54

Files


264367

Folders


8619

Boot Sectors


5

Archives


20019

Packed Files


12356





Results

Identified Viruses


2

Infected Files


3

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


3



Engines Info

Virus Definitions


511471

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1


Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes



Scanned File


Status

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filA505DC64.dat=>(gzip)


Infected with: Trojan.Rootkit.Ntrootkit.F

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filA505DC64.dat=>(gzip)


Disinfection failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filA505DC64.dat=>(gzip)


Deleted

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filA505DC64.dat


Update failed

C:\WINDOWS\system32\drivers\ip6fw.sys


Infected with: Rootkit.Agent.DP

C:\WINDOWS\system32\drivers\ip6fw.sys


Disinfection failed

C:\WINDOWS\system32\drivers\ip6fw.sys


Deleted

C:\WINDOWS\system32\ksys.sys


Infected with: Trojan.Rootkit.Ntrootkit.F

C:\WINDOWS\system32\ksys.sys


Disinfection failed

C:\WINDOWS\system32\ksys.sys


Deleted

#12 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 June 2007 - 07:19 PM

Combofix log

"medomir" - 2007-06-03 3:01:34 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\medomir\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\8_exception.nls"
"C:\WINDOWS\system32\pfxzmtaim.dll"
"C:\WINDOWS\system32\pfxzmtgtal.dll"
"C:\WINDOWS\system32\pfxzmticq.dll"
"C:\WINDOWS\system32\pfxzmtymsg.dll"
"C:\WINDOWS\system32\sfxzmtforum.dll"
"C:\WINDOWS\system32\sfxzmtsmt.dll"
"C:\WINDOWS\system32\sfxzmtwbmail.dll"
"C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat"
"C:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"C:\Documents and Settings\All Users.\documents\settings"
"C:\WINDOWS\system32\drivers\runtime2.sys"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\EXAMPLE
-------\NDnet1
-------\nm
-------\RpcApi
-------\Runtime


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-02 21:45 <DIR> d-------- C:\Program Files\CCleaner
2007-06-02 12:21 <DIR> d-------- C:\VundoFix Backups
2007-06-02 12:19 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-06-02 09:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 00:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-31 18:41 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-30 23:06 <DIR> d-------- C:\Program Files\MSBuild
2007-05-30 23:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-30 23:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-30 22:59 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-30 01:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-30 01:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-30 00:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-30 00:59 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-30 00:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-30 00:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-30 00:10 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-30 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-29 22:52 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-05-29 22:52 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-05-29 22:52 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-05-29 22:52 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-05-29 22:52 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-05-29 22:52 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-05-29 22:52 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-05-29 22:52 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-05-29 22:52 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-05-29 22:52 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2007-05-29 22:52 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-05-29 22:52 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-05-29 22:52 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-05-29 22:52 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-05-29 22:52 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-05-29 22:52 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-05-29 22:52 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-05-29 22:52 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-05-29 22:52 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-05-29 22:52 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-05-29 22:52 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-05-29 22:52 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-05-29 22:52 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-05-29 22:52 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-05-29 22:52 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-05-29 22:52 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-05-29 22:52 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-05-29 22:52 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2007-05-29 22:52 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2007-05-29 22:52 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2007-05-29 22:52 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2007-05-29 22:52 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-05-29 22:52 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-05-29 22:52 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-05-29 22:52 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-05-29 22:52 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-05-29 22:52 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2007-05-29 22:52 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-05-29 22:52 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-05-29 22:52 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2007-05-29 22:52 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-05-29 22:52 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-05-29 22:52 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-05-29 22:52 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-05-29 22:52 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2007-05-29 22:52 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-05-29 22:52 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-05-29 22:52 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-05-29 22:52 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-05-29 22:52 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-05-29 22:52 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2007-05-29 22:52 32,866 --------- C:\WINDOWS\slrundll.exe
2007-05-29 22:52 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2007-05-29 22:52 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2007-05-29 22:52 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2007-05-29 22:52 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-05-29 22:52 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2007-05-29 22:52 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-05-29 22:52 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-05-29 22:52 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2007-05-29 22:52 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-05-29 22:52 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-05-29 22:52 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-05-29 22:52 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-05-29 22:52 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-05-29 22:52 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-05-29 22:52 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2007-05-29 22:52 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2007-05-29 22:52 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-05-29 22:52 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-05-29 22:52 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-05-29 22:52 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-05-29 22:52 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2007-05-29 22:52 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-05-29 22:52 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2007-05-29 22:52 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-05-29 22:52 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-05-29 22:52 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2007-05-29 22:52 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-05-29 22:52 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-05-29 22:52 20,992 --------- C:\WINDOWS\system32\bthci.dll
2007-05-29 22:52 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2007-05-29 22:52 188,508 --------- C:\WINDOWS\system32\slgen.dll
2007-05-29 22:52 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2007-05-29 22:52 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-05-29 22:52 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-05-29 22:52 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-05-29 22:52 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-05-29 22:52 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2007-05-29 22:52 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-05-29 22:52 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-05-29 22:52 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-05-29 22:52 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-05-29 22:52 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2007-05-29 22:52 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-05-29 22:52 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2007-05-29 22:52 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2007-05-29 22:52 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys
2007-05-29 22:52 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys
2007-05-29 22:52 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2007-05-29 22:52 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys
2007-05-29 22:52 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-05-29 22:52 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-05-29 22:52 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-05-29 22:52 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-05-29 22:52 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2007-05-29 22:52 116,224 --------- C:\WINDOWS\system32\p2p.dll
2007-05-29 22:52 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2007-05-29 22:52 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2007-05-29 22:52 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-29 22:52 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2007-05-29 22:52 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-05-29 22:52 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-05-29 22:52 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-05-29 22:52 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2007-05-29 22:52 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys
2007-05-29 22:52 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2007-05-29 22:52 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-05-29 22:52 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys
2007-05-29 22:52 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2007-05-29 22:52 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-05-29 22:52 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-05-29 22:52 <DIR> d-------- C:\WINDOWS\provisioning
2007-05-29 22:52 <DIR> d-------- C:\WINDOWS\peernet
2007-05-29 22:52 <DIR> d-------- C:\Program Files\messenger
2007-05-29 22:50 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2007-05-29 22:49 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-23 20:04 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-05-16 22:50 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-16 22:50 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-16 22:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-16 22:49 <DIR> d-------- C:\WINDOWS\Internet Logs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 20:17:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-30 19:18:48 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-29 23:27:50 -------- d-----w C:\Program Files\Razer
2007-05-29 23:27:01 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-29 23:24:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-29 23:23:37 -------- d-----w C:\Program Files\BitComet
2007-05-29 19:52:19 -------- d-----w C:\Program Files\Movie Maker
2007-05-29 19:50:57 -------- d-----w C:\Program Files\Windows NT
2007-05-16 20:07:14 -------- d-----w C:\Program Files\Symantec
2007-04-20 18:04:54 -------- d-----w C:\DOCUME~1\medomir\APPLIC~1\Nokia Multimedia Player
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 07:53:28 -------- d-----w C:\Program Files\CellNet
2007-04-17 05:26:27 8,704 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-11 21:10:45 -------- d-----w C:\Program Files\AGEIA Technologies
2007-04-11 20:33:38 -------- d-----w C:\Program Files\cebas
2007-04-07 11:05:58 -------- d-----w C:\DOCUME~1\medomir\APPLIC~1\Skype
2007-04-07 09:05:11 -------- d-----w C:\Program Files\Skype
2007-04-07 09:05:11 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-01 15:53:02 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-04-01 15:53:02 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-03-28 15:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 15:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-23 03:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 03:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 17:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:36:03 48,160 ----a-w C:\DOCUME~1\medomir\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 19:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-16 23:06]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 17:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^medomir^Start Menu^Programs^Startup^StickIt UDP Server.lnk]
path=C:\Documents and Settings\medomir\Start Menu\Programs\Startup\StickIt UDP Server.lnk
backup=C:\WINDOWS\pss\StickIt UDP Server.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outpost]
C:\Documents and Settings\medomir\Local Settings\Temp\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
"C:\WINDOWS\System32\update82263134.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Waas]
C:\Documents and Settings\medomir\Application Data\nws.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Schedule"=2 (0x2)
"IPClampService"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-03-16 18:49:21 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - medomir.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 03:05:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-03 3:08:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-03 03:08

--- E O F ---


Here is the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 03:13:45, on 03.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\medomir\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlexWord 2K.lnk = C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172396041250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 02 June 2007 - 09:29 PM

Hello lamotia,

Thats much better. Now we just do minor cleanup. :thumbsup:

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

These are optional fixes. The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
(Description: Soundblaster X-Fi card related. Not necessary - see this article)

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )


Run CCleaner to clean the temp files.


Now we backup the registry.

Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


  • Click Start » Run » type: Notepad » OK
  • Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).


    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
  • Make sure there are no blank spaces before REGEDIT4 and there should be one blank line at the end.
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it FixME.reg and save it on your desktop.
  • Its icon should look like this : Posted Image
  • Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.

Reboot and post a fresh Hijackthis log and ComboFix log.

 
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 lamotia

lamotia
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 03 June 2007 - 03:46 AM

I use adobe gamma so I prefer to leave it available. Also should I reenable the Norton Antivirus Script Blocking feature?

Here is the HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:30:33, on 03.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Razer\razerhid.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Razer\razertra.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\medomir\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlexWord 2K.lnk = C:\Program Files\Datecs\FlexWord2K\FlexWord2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172396041250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Here is the new ComboFix one:

"medomir" - 2007-06-03 11:32:59 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\medomir\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-03 03:09 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-02 21:45 <DIR> d-------- C:\Program Files\CCleaner
2007-06-02 12:19 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-06-02 09:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-02 00:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-31 18:41 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-30 23:06 <DIR> d-------- C:\Program Files\MSBuild
2007-05-30 23:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-30 23:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-30 22:59 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-30 01:06 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-30 01:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-30 00:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-30 00:59 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-30 00:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-30 00:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-30 00:10 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-30 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-29 22:52 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-05-29 22:52 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-05-29 22:52 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-05-29 22:52 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-05-29 22:52 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-05-29 22:52 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-05-29 22:52 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-05-29 22:52 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-05-29 22:52 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-05-29 22:52 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2007-05-29 22:52 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-05-29 22:52 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-05-29 22:52 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-05-29 22:52 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-05-29 22:52 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-05-29 22:52 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-05-29 22:52 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-05-29 22:52 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-05-29 22:52 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-05-29 22:52 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-05-29 22:52 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-05-29 22:52 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-05-29 22:52 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-05-29 22:52 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-05-29 22:52 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-05-29 22:52 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-05-29 22:52 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-05-29 22:52 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-05-29 22:52 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-05-29 22:52 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2007-05-29 22:52 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2007-05-29 22:52 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2007-05-29 22:52 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2007-05-29 22:52 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-05-29 22:52 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-05-29 22:52 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-05-29 22:52 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-05-29 22:52 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-05-29 22:52 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2007-05-29 22:52 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-05-29 22:52 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-05-29 22:52 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2007-05-29 22:52 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-05-29 22:52 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-05-29 22:52 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2007-05-29 22:52 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-05-29 22:52 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2007-05-29 22:52 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-05-29 22:52 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-05-29 22:52 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-05-29 22:52 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-05-29 22:52 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-05-29 22:52 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2007-05-29 22:52 32,866 --------- C:\WINDOWS\slrundll.exe
2007-05-29 22:52 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2007-05-29 22:52 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2007-05-29 22:52 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2007-05-29 22:52 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-05-29 22:52 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2007-05-29 22:52 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-05-29 22:52 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-05-29 22:52 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2007-05-29 22:52 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-05-29 22:52 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-05-29 22:52 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-05-29 22:52 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-05-29 22:52 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-05-29 22:52 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-05-29 22:52 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2007-05-29 22:52 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2007-05-29 22:52 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-05-29 22:52 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-05-29 22:52 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-05-29 22:52 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-05-29 22:52 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2007-05-29 22:52 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-05-29 22:52 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2007-05-29 22:52 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-05-29 22:52 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-05-29 22:52 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2007-05-29 22:52 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-05-29 22:52 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-05-29 22:52 20,992 --------- C:\WINDOWS\system32\bthci.dll
2007-05-29 22:52 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2007-05-29 22:52 188,508 --------- C:\WINDOWS\system32\slgen.dll
2007-05-29 22:52 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2007-05-29 22:52 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-05-29 22:52 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-05-29 22:52 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-05-29 22:52 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-05-29 22:52 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2007-05-29 22:52 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-05-29 22:52 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-05-29 22:52 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-05-29 22:52 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-05-29 22:52 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2007-05-29 22:52 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-05-29 22:52 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2007-05-29 22:52 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2007-05-29 22:52 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys
2007-05-29 22:52 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys
2007-05-29 22:52 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2007-05-29 22:52 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys
2007-05-29 22:52 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-05-29 22:52 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-05-29 22:52 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-05-29 22:52 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-05-29 22:52 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2007-05-29 22:52 116,224 --------- C:\WINDOWS\system32\p2p.dll
2007-05-29 22:52 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2007-05-29 22:52 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2007-05-29 22:52 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-29 22:52 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2007-05-29 22:52 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-05-29 22:52 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-05-29 22:52 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-05-29 22:52 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2007-05-29 22:52 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys
2007-05-29 22:52 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2007-05-29 22:52 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-05-29 22:52 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys
2007-05-29 22:52 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2007-05-29 22:52 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-05-29 22:52 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-05-29 22:52 <DIR> d-------- C:\WINDOWS\provisioning
2007-05-29 22:52 <DIR> d-------- C:\WINDOWS\peernet
2007-05-29 22:52 <DIR> d-------- C:\Program Files\messenger
2007-05-29 22:50 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2007-05-29 22:49 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-23 20:04 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-05-16 22:50 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-16 22:50 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-16 22:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-16 22:49 <DIR> d-------- C:\WINDOWS\Internet Logs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 20:17:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-30 19:18:48 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-29 23:27:50 -------- d-----w C:\Program Files\Razer
2007-05-29 23:27:01 -------- d-----w C:\Program Files\Norton AntiVirus
2007-05-29 23:24:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-29 23:23:37 -------- d-----w C:\Program Files\BitComet
2007-05-29 19:52:19 -------- d-----w C:\Program Files\Movie Maker
2007-05-29 19:50:57 -------- d-----w C:\Program Files\Windows NT
2007-05-16 20:07:14 -------- d-----w C:\Program Files\Symantec
2007-04-20 18:04:54 -------- d-----w C:\DOCUME~1\medomir\APPLIC~1\Nokia Multimedia Player
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 07:53:28 -------- d-----w C:\Program Files\CellNet
2007-04-17 05:26:27 8,704 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-11 21:10:45 -------- d-----w C:\Program Files\AGEIA Technologies
2007-04-11 20:33:38 -------- d-----w C:\Program Files\cebas
2007-04-07 11:05:58 -------- d-----w C:\DOCUME~1\medomir\APPLIC~1\Skype
2007-04-07 09:05:11 -------- d-----w C:\Program Files\Skype
2007-04-07 09:05:11 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-01 15:53:02 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-04-01 15:53:02 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-03-28 15:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 15:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-23 03:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 03:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 17:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:36:03 48,160 ----a-w C:\DOCUME~1\medomir\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 19:21]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-16 23:06]
"CTHelper"="CTHELPER.EXE" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 17:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^medomir^Start Menu^Programs^Startup^StickIt UDP Server.lnk]
path=C:\Documents and Settings\medomir\Start Menu\Programs\Startup\StickIt UDP Server.lnk
backup=C:\WINDOWS\pss\StickIt UDP Server.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outpost]
C:\Documents and Settings\medomir\Local Settings\Temp\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Waas]
C:\Documents and Settings\medomir\Application Data\nws.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Schedule"=2 (0x2)
"IPClampService"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-03-16 18:49:21 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - medomir.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 11:35:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-03 11:36:17

--- E O F ---

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:13 AM

Posted 03 June 2007 - 09:54 AM

Hello lamotia,

I use adobe gamma so I prefer to leave it available.



That is fine, as those were optinal fixes. :flowers:

Also should I reenable the Norton Antivirus Script Blocking feature?



Yes, you can enable Norton Antivirus Script Blocking.


Your log looks clean! :thumbsup: Good job on the cleanup!


You can delete VundoFix, ComboFix, rootchk programs.
You may want to keep CCleaner. You can delete C:\QooBox folder

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users