Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect Infection Of Unknown Malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 crimson697

crimson697

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 04 June 2007 - 09:03 AM

Hi.

I had an accident thursday, lead to an infection of Purityscan, Downloader and Agent. Now, I think I got rid of these, but the computer is not acting like it used to. Can anyone please browse through the HiJack log to see if there is anything fishy?

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:52 PM

Posted 09 June 2007 - 03:15 PM

Hello crimson697,

I am SifuMike and I will be helping you. :thumbsup:

Is this a corporate computer?


You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleanerę by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

The new version of AVG Anti Spyware does not work in safe mode. Until a fix is released download and use the AVG_Anti-Spyware_7.5.1.36_Safe_Mode_Registry_Patch.reg workaround patch to correct this. Save to your desktop, double-click on that file and choose "Yes" to merge it into the registry when prompted.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.



When done, submit the ComboFix log, the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 crimson697

crimson697
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 13 June 2007 - 02:32 AM

Hello SifuMike

Thank you for helping me out.

The computer is a company laptop, so I guess I don't use it just for business :thumbsup:

I performed the steps you requested. When going into Safe Mode, due to the domain log on, I had to use the Administrator user on this computer to be able to log on without network.
I also took the liberty to anonymize the logs.

ComboFix 07-06-11.3 - D:\download\bleeping_fix\ComboFix.exe
"xx" - 2007-06-13 8:51:38 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 08:51 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-12 14:50 <DIR> d-------- C:\DOCUME~1\NETWOR~1\PROGRA~1\Webroot
2007-06-12 14:26 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-12 08:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-06 15:58 <DIR> d-------- C:\Programfiler\Security Task Manager
2007-06-06 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SecTaskMan
2007-06-06 14:27 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 14:17 <DIR> d-------- C:\DOCUME~1\xx\DoctorWeb
2007-06-06 14:04 <DIR> dr-h----- C:\DOCUME~1\xx\Siste
2007-06-06 09:42 <DIR> d-------- C:\Programfiler\Registry Medic 5
2007-06-06 09:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Iomatic
2007-06-05 12:15 <DIR> d-------- C:\Programfiler\Uniblue
2007-06-05 12:15 <DIR> d-------- C:\DOCUME~1\xx\PROGRA~1\Uniblue
2007-06-04 11:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Yahoo! Companion
2007-06-04 11:29 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-04 11:15 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-04 11:15 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-04 11:15 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-06-04 11:15 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-04 11:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1\PROGRA~1\Webroot
2007-06-04 11:14 <DIR> d-------- C:\Programfiler\Webroot
2007-06-04 11:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Webroot
2007-06-04 11:08 <DIR> d-------- C:\Programfiler\Yahoo!
2007-06-04 11:08 <DIR> d-------- C:\DOCUME~1\xx\PROGRA~1\Webroot
2007-06-04 11:07 <DIR> d-------- C:\Programfiler\CCleaner
2007-06-04 10:12 <DIR> d-------- C:\DOCUME~1\xx\PROGRA~1\Lavasoft
2007-06-04 10:11 <DIR> d-------- C:\Programfiler\Lavasoft
2007-06-01 14:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-01 12:34 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-01 12:34 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-01 12:34 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-01 12:34 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-01 12:34 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-01 12:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-31 14:56 <DIR> dr-h----- C:\DOCUME~1\LOCALS~1\Siste
2007-05-31 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Spybot - Search & Destroy
2007-05-31 14:10 <DIR> d-------- C:\DOCUME~1\xx\PROGRA~1\AntiSpywareBot
2007-05-31 11:39 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\PROGRA~1\TEMP
2007-05-29 15:33 <DIR> d-------- C:\Programfiler\UltraISO
2007-05-29 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\EZB Systems
2007-05-15 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\WinZip
2007-05-14 11:25 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-05-14 11:24 <DIR> d-------- C:\Programfiler\PC Wizard 2007


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 06:50:50 -------- d-----w C:\DOCUME~1\xx\PROGRA~1\Skype
2007-06-13 06:45:58 72,780 ----a-w C:\WINDOWS\system32\perfc014.dat
2007-06-13 06:45:58 409,658 ----a-w C:\WINDOWS\system32\perfh014.dat
2007-06-12 12:44:06 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-06-12 12:25:22 -------- d-----w C:\DOCUME~1\xx\PROGRA~1\Azureus
2007-06-11 08:57:18 91,318 ----a-w C:\WINDOWS\system32\nvModes.dat
2007-06-08 08:27:01 -------- d-----w C:\DOCUME~1\xx\PROGRA~1\ZoomBrowser EX
2007-06-05 11:28:36 -------- d-----w C:\Programfiler\Mozilla Thunderbird
2007-06-04 07:05:57 -------- d-----w C:\Programfiler\Spyware Doctor
2007-06-01 08:40:05 -------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-05-30 15:22:51 -------- d-----w C:\Programfiler\MagicISO
2007-05-18 12:55:09 -------- d-----w C:\Programfiler\Reiseregningen
2007-05-10 08:20:35 -------- d-----w C:\Programfiler\Microsoft CAPICOM 2.1.0.2
2007-04-30 14:26:02 -------- d-----w C:\DOCUME~1\xx\PROGRA~1\Axialis
2007-04-30 14:25:49 -------- d-----w C:\Programfiler\Axialis
2007-04-30 14:12:17 -------- d-----w C:\Programfiler\AxiomX
2007-04-30 07:28:09 -------- d-----w C:\Programfiler\Replay Media Catcher
2007-04-18 16:15:14 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 11:46:28 -------- d-----w C:\Programfiler\2BrightSparks
2007-04-16 08:50:33 -------- d-----w C:\DOCUME~1\xx\PROGRA~1\SolidWorks
2007-03-17 13:45:38 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F85D76C-0569-466F-A488-493E6BD0E955}=C:\Programfiler\Windows Desktop Search\dsWebAllow.dll [2006-11-21 15:53]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-11-07 06:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Programfiler\Apoint\Apoint.exe" [2005-10-07 20:13]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"ISUSScheduler"="C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05]
"WinampAgent"="C:\Programfiler\Winamp\winampa.exe" [2006-06-21 19:14]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Siemens SmartSync - ScheduleSync"="C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE" [2005-03-16 10:15]
"IntelZeroConfig"="C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38]
"IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32]
"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"nwiz"="nwiz.exe" [2006-05-01 15:46 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]
"BDNewsAgent"="C:\Programfiler\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 13:19]
"BDOESRV"="C:\Programfiler\Softwin\BitDefender8\bdoesrv.exe" [2005-03-11 19:53]
"BDMCon"="C:\Programfiler\Softwin\BitDefender8\bdmcon.exe" [2006-04-06 13:36]
"SDTray"="C:\Programfiler\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 14:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" [2005-09-25 19:11]
"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2007-03-16 20:25]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 15:50]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99545f96-dde8-11db-afe2-0016417589c6}]
AutoRun\command- H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9f817e1-9509-11db-af9d-0015c50a2c33}]
AutoRun\command- I:\Autorun.exe

*Newly Created Service* - NIPALK

Contents of the 'Scheduled Tasks' folder
2007-06-12 01:00:00 C:\WINDOWS\tasks\AntiSpywareBot Scheduled Scan.job
2007-06-13 06:44:34 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-06 11:12:18 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
2007-06-06 11:12:17 C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
2007-06-06 12:14:59 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
2007-06-06 12:14:57 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 08:58:25
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-13 8:59:37

--- E O F ---


BitDefender Online Scanner

Scan report generated at: Tue, Jun 12, 2007 - 13:54:01


Statistics

Time

01:21:49

Files


310872

Folders


6964

Boot Sectors


4

Archives


5935

Packed Files


16020







Results

Identified Viruses


0

Infected Files


0

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


0







Engines Info

Virus Definitions


513125

Engine build


AVCORE v1.0 (build 2409) (i386) (May 9 2007 18:01:21)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes

Scanned File


Status

No virus found.



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 08:39:26 13.06.2007

+ Scan result:



HKLM\SOFTWARE\Classes\Interface\{DB8CBF0C-D6D3-11D4-AA51-00A024EE30BD}\ProxyStubClsid32\\ -> Adware.RogueSuspect : Cleaned with backup (quarantined).
:mozilla.47:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.54:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.55:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.20:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.69:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.39:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.40:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.8:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Statistik-gallup : Cleaned.
:mozilla.72:D:\Mozilla\Firefox\xx\cookies.txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 09:15, on 2007-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Softwin\BitDefender Enterprise Manager\BitDefender Update Server\bdupdsvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Programfiler\National Instruments\MAX\nimxs.exe
C:\Programfiler\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Programfiler\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\Spyware Doctor\svcntaux.exe
C:\Programfiler\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Windows Media Player\WMPNetwk.exe
C:\Programfiler\Fellesfiler\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programfiler\Canon\CAL\CALMAIN.exe
C:\Programfiler\Fellesfiler\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Programfiler\Fellesfiler\Softwin\BitDefender Local Manager\bdlm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Programfiler\Softwin\BitDefender Enterprise Manager\BitDefender Server\bdesvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\Apoint\Apoint.exe
C:\Programfiler\Apoint\HidFind.exe
C:\Programfiler\Apoint\Apntex.exe
C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Winamp\winampa.exe
C:\WINDOWS\stsystra.exe
C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\programfiler\softwin\bitdefender8\bdnagent.exe
C:\Programfiler\Softwin\BitDefender8\bdoesrv.exe
C:\Programfiler\Spyware Doctor\SDTrayApp.exe
C:\Programfiler\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Digital Line Detect\DLG.exe
c:\progra~1\felles~1\instal~1\update~1\isuspm.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Fellesfiler\Softwin\BitDefender Scan Server\bdss.exe
C:\Programfiler\Softwin\BitDefender8\vsserv.exe
c:\programfiler\softwin\bitdefender8\bdmcon.exe
C:\Programfiler\TextPad 4\TextPad.exe
C:\Programfiler\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://company.proxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programfiler\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Siemens SmartSync - ScheduleSync] C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BDNewsAgent] "c:\programfiler\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Programfiler\Softwin\BitDefender8\bdoesrv.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programfiler\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programfiler\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Programfiler\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Programfiler\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149226771894
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = company.domain
O17 - HKLM\Software\..\Telephony: DomainName = company.domain
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = company.domain
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Programfiler\Fellesfiler\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
O23 - Service: BitDefender Server (BDSRV) - Unknown owner - C:\Programfiler\Softwin\BitDefender Enterprise Manager\BitDefender Server\bdesvr.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programfiler\Fellesfiler\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Update Server (BDUPDSVR) - Unknown owner - C:\Programfiler\Softwin\BitDefender Enterprise Manager\BitDefender Update Server\bdupdsvr.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programfiler\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: BitDefender HTTP Server (HTTPSRV) - Unknown owner - C:\Programfiler\Fellesfiler\Softwin\BitDefender HTTP Server\http.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Programfiler\Fellesfiler\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Programfiler\National Instruments\MAX\nimxs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programfiler\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Programfiler\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Programfiler\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Programfiler\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programfiler\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programfiler\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programfiler\Spyware Doctor\swdsvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Programfiler\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programfiler\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programfiler\Fellesfiler\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:52 PM

Posted 13 June 2007 - 10:22 PM

Hello crimson697,


Your log looks clean! :thumbsup:

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.

Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:52 PM

Posted 20 June 2007 - 04:48 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users