Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Smitfraud, Trojans Infections


  • Please log in to reply
10 replies to this topic

#1 sonjicko

sonjicko

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 17 June 2007 - 07:43 PM

Hi

There is many weird things laptop is doing -
icon for radio for wireless connection disappeared, function buttons on keyboard does'n work,
when I'm using IE as browser every second some advert jumps out so I don't use it any more
and in general it is very slow.

I have done everything as you described on "Preparation Guide for use before posting a HijackThis Log"

So here it is:

Logfile of HijackThis v1.99.1
Scan saved at 00:40:41, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Martin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E30C4418-A38F-FF2E-D978-8AADDF932191} - C:\WINDOWS\system32\bghu.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [gtuncnqj.exe] C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ohmt] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Ajnlrsk] "C:\Documents and Settings\Martin\Application Data\?ymbols\?serinit.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://landrover2amorepictures.spaces.msn....ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winorm32 - winorm32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I apologise for possible gramatical mistakes, English is not my first language.
Can you please help me to bring back laptop to normal working state?

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:56 AM

Posted 18 June 2007 - 03:16 PM

Hi sonjicko, :flowers:

We're studying your log right now and will be back to you as soon as possible.

Thanks for your patience. :thumbsup:

Edited by Falu, 18 June 2007 - 03:17 PM.


#3 sonjicko

sonjicko
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 18 June 2007 - 06:23 PM

Thankyou :thumbsup:

I'm waiting for your instructions

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:56 AM

Posted 20 June 2007 - 03:33 PM

Hi sonjicko, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

I apologise for possible gramatical mistakes, English is not my first language.


That goes for me as well so no appologies needed.

1.

Can you please help me to bring back laptop to normal working state?


We will do our best, that's for sure but to begin with:

Your log shows some very dangerous trojans are present on your computer: Troj/DwnLdr-GVG which includes functionality to access the internet and communicate with a remote server via HTTP and W32/Morbex-A!

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

2. Download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

3. Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please post the SUPERAntiSpyware report along with combofix.txt and a fresh HijackThis log.

#5 sonjicko

sonjicko
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 21 June 2007 - 07:33 AM

hi falu

Thank you for your reply, I started changing passwords...

The link for Combofix is not working , I get a window with this:
404 Not Found
The requested URL '/sUBs/combofix.exe' was not found on this server.
thttpd/2.25b 29dec2003


:thumbsup:

so what to do now?

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:56 AM

Posted 21 June 2007 - 08:47 AM

Hi sonjicko :thumbsup:

It worked when I posted but it doesn't anymore. Try this one:

Combofix

#7 sonjicko

sonjicko
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 21 June 2007 - 04:42 PM

Hi Falu

Here are logs:

:huh:

ComboFix 07-06-21.3 - C:\Documents and Settings\Martin\Desktop\ComboFix.exe
"Martin" - 2007-06-21 16:11:38 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Martin\APPLIC~1.\ymbols~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\svchost.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\wnsapisv32.exe


((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21
)))))))))))))))))))))))))))))))


2007-06-21 16:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-21 14:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-21
14:13 <DIR> d-------- C:\DOCUME~1\Martin\APPLIC~1\SUPERAntiSpyware.com
2007-06-21
14:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-19 20:26 914 --a------ C:\pmcubosf3.exe
2007-06-19 20:26 914 --a------ C:\pmcubosf1.exe
2007-06-18 00:02 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-18 00:01 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-06-18 00:01 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-18 00:01 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-17 23:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-17 22:58 <DIR> d-------- C:\WINDOWS\system32\pmcubosf
2007-06-17 22:16 66,451 --a------ C:\pmcubosf2.exe
2007-06-17 20:57 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-17 20:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-17 19:36 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-17 18:30 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-17 18:03 <DIR> d-------- C:\DOCUME~1\Martin\.housecall6.6
2007-06-12 23:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-11 00:57 <DIR> d-------- C:\VundoFix Backups
2007-06-10 23:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot -
Search & Destroy
2007-06-10 16:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-10 16:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 16:54 <DIR> d-------- C:\Program Files\Common Files\Wise
Installation Wizard
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-30 17:33 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-30 14:21 <DIR> d-------- C:\DOCUME~1\Martin\APPLIC~1\Talkback
2007-05-30 14:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-29 12:25 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-29 12:25 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-29 12:25 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-28 21:03 98,304 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-05-28 21:03 155,648 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-05-28 21:03 1,693,696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-05-27 20:12 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-05-27 20:12 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-05-27 20:12 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-05-27 17:16 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-05-27 12:47 206 --a------ C:\WINDOWS\g2312785.exe
2007-05-27 11:30 206 --a------ C:\WINDOWS\g991826.exe
2007-05-27 11:19 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-05-27 11:09 206 --a------ C:\WINDOWS\g7738076.exe
2007-05-27 10:55 206 --a------ C:\WINDOWS\g6896616.exe
2007-05-27 00:59 206 --a------ C:\WINDOWS\g23094297.exe
2007-05-27 00:39 206 --a------ C:\WINDOWS\g21893721.exe
2007-05-27 00:19 206 --a------ C:\WINDOWS\g20696840.exe
2007-05-26 23:59 206 --a------ C:\WINDOWS\g19489905.exe
2007-05-26 23:39 206 --a------ C:\WINDOWS\g18289689.exe
2007-05-26 23:19 206 --a------ C:\WINDOWS\g17089763.exe
2007-05-26 22:59 206 --a------ C:\WINDOWS\g15889267.exe
2007-05-26 22:39 206 --a------ C:\WINDOWS\g14689872.exe
2007-05-26 22:19 206 --a------ C:\WINDOWS\g13489987.exe
2007-05-26 21:59 206 --a------ C:\WINDOWS\g12290152.exe
2007-05-26 21:39 206 --a------ C:\WINDOWS\g11090206.exe
2007-05-26 21:19 206 --a------ C:\WINDOWS\g9891503.exe
2007-05-26 20:59 206 --a------ C:\WINDOWS\g8686009.exe
2007-05-26 20:39 206 --a------ C:\WINDOWS\g7486214.exe
2007-05-26 20:19 206 --a------ C:\WINDOWS\g6298096.exe
2007-05-26 19:59 206 --a------ C:\WINDOWS\g5076950.exe
2007-05-26 19:39 206 --a------ C:\WINDOWS\g3876504.exe
2007-05-26 19:19 206 --a------ C:\WINDOWS\g2676889.exe
2007-05-26 18:59 206 --a------ C:\WINDOWS\g1475000.exe
2007-05-26 18:39 206 --a------ C:\WINDOWS\g274124.exe
2007-05-26 00:44 <DIR> d-------- C:\DOCUME~1\Martin\APPLIC~1\Google
2007-05-26 00:32 <DIR> d-------- C:\Program Files\Google
2007-05-26 00:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 19:37:13 -------- d-----w C:\Program Files\MSN Messenger
2007-06-17 19:32:27 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-12 21:44:52 -------- d-----w C:\DOCUME~1\Martin\APPLIC~1\Skype
2007-05-30 20:39:50 -------- d--h--w C:\Program Files\InstallShield
Installation Information
2007-05-30 20:38:36 -------- d-----w C:\Program Files\Winamp
2007-05-27 10:46:04 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-05-25 22:44:34 14 ----a-w C:\WINDOWS\system32\getfile.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-27 19:46:37 -------- d-----w C:\Program Files\CDex150
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-25 11:33:11 -------- d-----w C:\Program Files\Common Files\Adobe
Systems Shared
2007-04-22 17:00:14 -------- d-----w C:\DOCUME~1\Martin\APPLIC~1\Help
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll
[2004-09-02 09:05]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]
{E30C4418-A38F-FF2E-D978-8AADDF932191}=C:\WINDOWS\system32\bghu.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 07:32 C:\WINDOWS\system32\S3Tray2.exe]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 11:12
C:\WINDOWS\system32\tp4serv.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe"
[2004-02-05 02:39]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" []
"TP4EX"="tp4ex.exe" [2002-09-04 09:05 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 10:04]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-06-25 23:39]
"UC_SMB"="" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" [2003-08-19 09:01]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 20:12]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 09:37]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29
09:37]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 09:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-14 22:36]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-27 20:09]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
[2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Ohmt"="C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" []
"Ajnlrsk"="C:\Documents and Settings\Martin\Application
Data\?ymbols\?serinit.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
[2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program
Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\QConGina]
QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\winorm32]
winorm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli pwdmon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL

Contents of the 'Scheduled Tasks' folder
2005-09-11 10:33:10 C:\WINDOWS\tasks\BMMTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-06-21 16:15:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 16:16:01
C:\ComboFix-quarantined-files.txt ... 2007-06-21 16:15

--- E O F ---




:flowers:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/21/2007 at 05:51 PM

Application Version : 3.8.1002

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:29:47

Memory items scanned : 360
Memory threats detected : 0
Registry items scanned : 4665
Registry threats detected : 10
File items scanned : 41009
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Martin\Cookies\martin@serving-sys[1].txt
C:\Documents and Settings\Martin\Cookies\martin@bs.serving-sys[1].txt

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Documents and Settings\Martin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Martin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Martin\Start Menu\Programs\Outerinfo

Trojan.Downloader-SVCHost/Fake
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\SVCHOST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SVCHOST.EXE.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSAPISV32.EXE.VIR



:thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 19:49:00, on 21/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Martin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E30C4418-A38F-FF2E-D978-8AADDF932191} - C:\WINDOWS\system32\bghu.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ohmt] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Ajnlrsk] "C:\Documents and Settings\Martin\Application Data\?ymbols\?serinit.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://landrover2amorepictures.spaces.msn....ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winorm32 - winorm32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Huh! Good luck :huh:

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:56 AM

Posted 23 June 2007 - 10:23 AM

Hi sonjicko, :thumbsup:

1. Please disable SuperAntispyware since it may interfere with the fixes we are going to make.

Right-click on the shortcut from the
system tray, choose View Control Center (preferences/options), on the General and Startup tab, uncheck, Start SUPERAntispyware when Windows starts, click Close to exit.

You may enable it again once you're clean; I will let you know.

2. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: (no name) - {E30C4418-A38F-FF2E-D978-8AADDF932191} - C:\WINDOWS\system32\bghu.dll (file missing)
O4 - HKCU\..\Run: [Ohmt] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Ajnlrsk] "C:\Documents and Settings\Martin\Application Data\?ymbols\?serinit.exe"
O20 - Winlogon Notify: winorm32 - winorm32.dll (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

4. Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip (right-click and choose Extract all) the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Program Files\Common Files\fnts~1
C:\Documents and Settings\Martin\Application Data\ymbols~1
C:\WINDOWS\system32\winorm32.dll
C:\pmcubosf3.exe
C:\pmcubosf1.exe
C:\WINDOWS\system32\pmcubosf
C:\pmcubosf2.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\g2312785.exe
C:\WINDOWS\g991826.exe
C:\WINDOWS\g7738076.exe
C:\WINDOWS\g6896616.exe
C:\WINDOWS\g23094297.exe
C:\WINDOWS\g21893721.exe
C:\WINDOWS\g20696840.exe
C:\WINDOWS\g19489905.exe
C:\WINDOWS\g17089763.exe
C:\WINDOWS\g15889267.exe
C:\WINDOWS\g14689872.exe
C:\WINDOWS\g13489987.exe
C:\WINDOWS\g12290152.exe
C:\WINDOWS\g11090206.exe
C:\WINDOWS\g9891503.exe
C:\WINDOWS\g8686009.exe
C:\WINDOWS\g7486214.exe
C:\WINDOWS\g6298096.exe
C:\WINDOWS\g5076950.exe
C:\WINDOWS\g3876504.exe
C:\WINDOWS\g2676889.exe
C:\WINDOWS\g1475000.exe
C:\WINDOWS\g274124.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

5. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u1). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u1
6. Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Please post the F-Secure report along with a fresh HijackThis log!

#9 sonjicko

sonjicko
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 24 June 2007 - 06:24 PM

Hello hello :thumbsup:



F-Secure report:

Scanning Report
Sunday, June 24, 2007 22:46:10 - 23:30:00

Computer name: LAPTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 0 malware found
Statistics
Scanned:

* Files: 26696
* System: 4049
* Not scanned: 4

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{DD633533-3859-4C6B-BDEA-B883C0E9BBD9}.BIN

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-06-21
* F-Secure AVP: 7.0.171, 2007-06-23
* F-Secure Orion: 1.2.37, 2007-06-24
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Pegasus: 1.19.0, 2007-05-20

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics




HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:35:38, on 24/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Martin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://landrover2amorepictures.spaces.msn....ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:56 AM

Posted 25 June 2007 - 06:14 AM

Hi sonjicko, :flowers:

Two very clean logs so you're ready to go, but first:

1. Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

2. You may enable SUperAnitSpyware if you want to:

Right-click on the shortcut from the system tray, choose View Control Center (preferences/options), on the General and Startup tab, check, Start SUPERAntispyware when Windows starts, click Close to exit.

3. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:

#11 sonjicko

sonjicko
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 27 June 2007 - 03:34 PM

Hi Falu :flowers:

Thank you very much!

:thumbsup:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users