Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iexplore.exe Backdoor At Bootup


  • This topic is locked This topic is locked
8 replies to this topic

#1 tjo123

tjo123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 19 June 2007 - 06:54 AM

Problem:

* IEXPLORE.EXE starts when my PC boots up. Have to kill it in task manager. Sometimes (50%), explorer.exe hangs, so I can not use taskbar etc. Have to restart explorer in task manager.

* At boot up IEXPLORE tries to access a german IP address on port 81.

* When not cleaning up the IEXPLORE process at startup, my PC is sooooo slow, and hangs (have to to CTRL+ALT+DEL to get keyboard control).

What I have tried:
- delete all non-necessary startup entries
- diabling all non-neccessary services

- disabling windows recovery, boot up in safe-mode and run the following tools:
* Windows Defender virus scan
* Norman virus scan
* Ad Aware malware scan
* Avast! virus scasn
* a-squared anti malware scan
* Spybot
* XoftSpySE
* Spyware Doctor
* Ewido AVG Anti-Spyware
* Kaspersky online virus scan

Actually a-squared and XoftSpySE were the only tools finding anything abnormal. a-squared popped up a message that the IEXPLORE process was trying to access my Internet connection, and I could use a-square to quarentine Internet Explorer. But I would really like to get rid of this Trojan; I'm so close to clean installing my XP box now .....


Here is the hijackthis scan right after booup of pc, I HAVE NOT started the IEXPLORE.EXE process

Logfile of HijackThis v1.99.1
Scan saved at 13:48:06, on 19.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Norman\Npf\Bin\Npfc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Norman\Npf\Bin\npfmsg2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 June 2007 - 05:03 PM

Hey tjo123

Msconfig

Its important that we know which files are loading when your computer starts up. Disabling items on startup only makes the process longer because we can't see what we are dealing with.

1. Click Start, select Run and type: msconfig
2. Select the General tab and choose Normal Startup - load all device drivers and services.
3. Click Apply and OK but DO NOT REBOOT!

If you reboot your computer any malicious files will only infect your system more! Please can you then post a fresh Hijackthis log.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 tjo123

tjo123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 21 June 2007 - 02:26 PM

Hi.

Here is the log after setting up normal startup in msconfig:

Logfile of HijackThis v1.99.1
Scan saved at 21:24:37, on 21.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Npf\Bin\npfmsg2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#4 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 22 June 2007 - 07:23 AM

Hey tjo123

Two Anti-Virus Products

I do not recommend that you have more than one Anti-Virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other Anti-Virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened - again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norman or Avast.

==========

ComboFix

Please download ComboFix.exe (by sUBs)

Double click ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note : Do not mouseclick ComboFix's window whilst it's running! That may cause it to stall.

==========

Jamie :thumbsup:
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#5 tjo123

tjo123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 23 June 2007 - 04:39 AM

JamieLaw,

ComboFix.txt:
ComboFix 07-06-18.2 - C:\tmp\ComboFix.exe
"deleted" - 2007-06-23 11:16:35 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-23 11:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 10:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-22 10:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-22 10:23 <DIR> d-------- C:\DOCUME~1\deleted\APPLIC~1\SUPERAntiSpyware.com
2007-06-19 10:29 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-19 10:19 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-19 10:19 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-19 10:19 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-19 10:19 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-19 10:19 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-19 10:19 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-19 10:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-19 10:19 <DIR> d-------- C:\DOCUME~1\deleted\APPLIC~1\PC Tools
2007-06-18 21:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-18 21:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-18 20:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-18 20:06 <DIR> d-------- C:\Program Files\BHODemon 2
2007-06-18 17:20 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-06-18 17:20 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-06-18 17:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-18 17:16 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-18 14:19 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-06-18 12:44 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-17 16:23 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-06-17 16:10 <DIR> d-------- C:\WINDOWS\pss
2007-06-17 14:28 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-17 14:28 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-17 14:28 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-17 14:28 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-17 14:28 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-17 14:28 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-17 14:28 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-17 14:28 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-17 12:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-15 12:48 <DIR> d--h----- C:\WINDOWS\system32\Systemfiles
2007-06-11 14:35 <DIR> d-------- C:\DOCUME~1\deleted\APPLIC~1\OpenOffice.org2
2007-06-11 14:32 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-06-10 11:42 630,784 --a------ C:\WINDOWS\system32\ANIWZCS2.dll
2007-06-10 11:42 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll
2007-06-10 11:42 50,176 --a------ C:\WINDOWS\system32\ANIO64.sys
2007-06-10 11:42 49,152 --a------ C:\WINDOWS\system32\JJAKEn.dll
2007-06-10 11:42 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll
2007-06-10 11:42 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll
2007-06-10 11:42 24,288 --a------ C:\WINDOWS\system32\ANIO.sys
2007-06-10 11:42 237,568 --a------ C:\WINDOWS\system32\wlanapi.dll
2007-06-10 11:42 204,800 --a------ C:\WINDOWS\system32\aIPH.dll
2007-06-10 11:42 163,840 --a------ C:\WINDOWS\system32\WlanApp.dll
2007-06-10 11:42 11,904 --a------ C:\WINDOWS\system32\anio4.sys
2007-06-10 11:42 1,327,189 --a------ C:\WINDOWS\system32\odSupp_M.dll
2007-06-10 11:42 <DIR> d-------- C:\Program Files\D-Link
2007-06-10 11:42 <DIR> d-------- C:\Program Files\ANI
2007-06-10 11:37 71,936 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-06-10 11:37 55,936 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2007-06-10 11:37 27,136 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-06-10 11:37 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2007-06-09 21:30 <DIR> d-------- C:\Program Files\URUSoft
2007-06-08 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-07 19:51 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2007-06-07 19:51 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2007-06-07 19:31 87,608 --a------ C:\DOCUME~1\deleted\APPLIC~1\inst.exe
2007-06-07 19:31 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-06-07 19:31 47,360 --a------ C:\DOCUME~1\deleted\APPLIC~1\pcouffin.sys
2007-06-07 19:31 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2007-06-07 19:31 <DIR> d-------- C:\Program Files\VSO
2007-06-07 19:31 <DIR> d-------- C:\DOCUME~1\deleted\APPLIC~1\Vso
2007-06-07 11:21 <DIR> d-------- C:\DOCUME~1\deleted\APPLIC~1\Ahead
2007-06-07 11:17 <DIR> d-------- C:\Program Files\Nero
2007-06-07 11:17 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-07 11:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 09:05:36 5 ----a-w C:\NPF_USER.DAT
2007-06-19 11:34:52 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\Azureus
2007-06-18 14:23:23 -------- d-----w C:\Program Files\Motherboard Monitor 5
2007-06-18 13:21:43 -------- d-----w C:\Program Files\Pegasys Inc
2007-06-11 12:36:17 -------- d-----w C:\Program Files\OpenOffice.org1.1.1
2007-06-11 12:33:10 -------- d-----w C:\Program Files\Prime95
2007-06-11 12:30:18 -------- d-----w C:\Program Files\Mozilla Firefox 2 Beta 1
2007-06-11 12:29:44 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-08 09:27:27 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\dvdcss
2007-06-07 08:51:05 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\SmartFTP
2007-06-06 12:40:32 -------- d-----w C:\Program Files\Common Files\Nikon
2007-06-06 12:33:56 -------- d-----w C:\Program Files\Ahead
2007-06-02 12:46:44 -------- d-----w C:\Program Files\Azureus
2007-05-31 12:51:22 17,464 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys
2007-05-22 08:54:41 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-20 09:21:55 -------- d-----w C:\Program Files\FotoKnudsen FotoBok
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 19:03:24 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-10 19:01:30 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-05-10 08:50:50 -------- d-----w C:\Program Files\iVisit
2007-05-09 19:50:12 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\Skype
2007-05-08 08:04:23 -------- d-----w C:\Program Files\iTunes
2007-05-08 07:55:40 -------- d-----w C:\Program Files\iPod
2007-05-08 07:54:14 -------- d-----w C:\Program Files\QuickTime
2007-05-08 07:51:12 -------- d-----w C:\Program Files\Apple Software Update
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 17:42:47 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\muvee Technologies
2007-04-23 18:09:10 -------- d-----w C:\DOCUME~1\deleted\APPLIC~1\Alien Skin
2007-04-23 17:48:43 -------- d-----w C:\Program Files\Alien Skin
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-12-27 13:19:13 108 --sha-r C:\WINDOWS\neoqaz2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^deleted^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
path=C:\Documents and Settings\deleted\Start Menu\Programs\Startup\BHODemon 2.0.lnk
backup=C:\WINDOWS\pss\BHODemon 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
"C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50e53a20-f4b8-11d9-8d13-806d6172696f}]
AutoRun\command- G:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-18 15:20:52 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-06-15 15:17:03 C:\WINDOWS\tasks\1-Klick-Wartung.job
2007-06-08 08:13:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-23 09:27:38 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-06-21 17:30:12 C:\WINDOWS\tasks\SyncBack Backup_Bilder.job
2007-06-19 15:00:13 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-19 08:29:11 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 11:24:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-23 11:29:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-23 11:29

--- E O F ---


Here is the ComboFix-quarantined-files.txt:
2007-06-23 11:21	  1302	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NM.reg.cf
2007-06-23 11:21	  24684	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
2007-06-23 11:21	  276	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf


Folder PATH listing
Volume serial number is 80FE-B221
C:\QOOBOX
\---Quarantine
	\---Registry_backups
			LEGACY_NM.reg.cf
			LEGACY_NPF.reg.cf
			services_nm.reg.cf


#6 tjo123

tjo123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 23 June 2007 - 04:49 AM

After ComboFix booted the PC, the IEXPLORE.EXE process still started.

At this point, I will almost certainly do a clean install anyway, but I'm curious about what this is. This is the first time my PC is getting infected, and for sure the first time I can not fix a PC problem myself. So it would be cool to find out what this is.

#7 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 24 June 2007 - 04:22 PM

Hey tjo123

Clean Out Temporary Files

Please download ATF Cleaner (by Atribune)

Double-click ATF-Cleaner.exe to run it.

Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
Note : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
Note : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

==========

Kaspersky Online Scanner

Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.
==========

Jamie :thumbsup:
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#8 tjo123

tjo123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 25 June 2007 - 03:55 AM

JamieLaw,

Here is the log from the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 25, 2007 10:48:36 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/06/2007
Kaspersky Anti-Virus database records: 352086
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\torgeir\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 25947
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:32:52

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4A8DB313-BC75-4E81-92F3-7D9CE9E9AD44}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Logfiles\W3SVC1\ex070625.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:52:56, on 25.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Npf\Bin\Npfc.exe
C:\Norman\Npf\Bin\npfmsg2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 27 June 2007 - 01:54 AM

Hey tjo123


Upload Files

You have a file(s) of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Please download Suspicious File Packer.
2. Then restart your computer in safe mode.
3. Double-click Suspicious File Packer. Then copy and paste this list of files:

C:\WINDOWS\neoqaz2.dll

4. Then click Continue. Close the program down.
5. Restart your computer in normal mode.
6. On your desktop should be a file like this: requested-files[2007-06-20_15_36].cab.
7. Open up Submit Files!
8. Then fill in the details:

Link: http://www.bleepingcomputer.com/forums/t/96548/iexploreexe-backdoor-at-bootup/
File: Locate your file: requested-files[2007-06-20_15_36].cab

9. Then click Send File.

==========

Msconfig

Its important that we know which files are loading when your computer starts up. Disabling items on startup only makes the process longer because we can't see what we are dealing with.

1. Click Start, select Run and type: msconfig
2. Select the General tab and choose Normal Startup - load all device drivers and services.
3. Click Apply and OK but DO NOT REBOOT!

If you reboot your computer any malicious files will only infect your system more! Please could you then post a Hijackthis log.

==========

Jamie :thumbsup:
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users