WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Spyware still running

Started by Baard Larsen , Dec 09 2007 04:58 PM

This topic is locked

12 replies to this topic

#1 Baard Larsen

New Member

New Member
7 posts

Posted 09 December 2007 - 04:58 PM

Sirs/Madams:
Could anyone help me with a problem regarding spyware/malware not being deleted`?
Spyware S&D and Pc-Cilling Pro 2008 did not do the trick.
Neighter did Spyhunter 3.2.

Anyone?

Best regards,

Baard Larsem

Logfile of Trend Micro HijackThis
Scan saved at 23:56:01, on 09.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\System32\SCardSvr.exe
C:\WINXP\Explorer.EXE
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINXP\system32\ctfmon.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINXP\system32\svchost.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINXP\System32\alg.exe
C:\WINXP\system32\rundll32.exe
C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe
C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe
C:\Programfiler\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Programfiler\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINXP\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\Enterprise.exe
C:\DOCUME~1\BAARDL~2.BAA\LOKALE~1\Temp\OWP1FF.tmp\setup.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Source Engine\OSE.EXE
C:\WINXP\system32\msiexec.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINXP\system32\SearchIndexer.exe
C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\HiJackThis_v2.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINXP\system32\notepad.exe
C:\WINXP\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LOS
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=
O1 - Hosts file is located at: C:\WINXP\System32\drivers\etc\hosts
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINXP\system32\yayvtur.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9B29897F-507D-4351-9DC0-70236AD2CA0D} - C:\WINXP\system32\ddaby.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [LaunchList] C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\programfiler\bonjour\mdnsnsp.dll' missing
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted IP range: http://195.204.91.130
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186952911120
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.buypass.n...ogram/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: yayvtur - yayvtur.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINXP\system32\drivers\pclepci.sys
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8024 bytes

Attached Files

startuplist.txt 7.25KB 114 downloads

Advertisements

Register to Remove

#2 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 10 December 2007 - 07:00 PM

Welcome to the forum.

1. Clean out temp files: ATF Cleaner
Download ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All (cookies optional)
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All (cookies optional)
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All (cookies optional)
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

---------------------------

Download combofix.exe To Your Desktop from the link below:
http://download.blee...Bs/ComboFix.exe

Double click combofix.exe & follow the prompts.
A window will open with a warning.
Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

-----------------

Next.......

Please download SUPERAntiSpyware Home Edition (free)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Ignore System Restore/Volume Information on ME and XP
Please leave the others unchecked.
Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
After reboot, double-click the SUPERAntispyware icon on your desktop.
Click Preferences . Click the Statistics/Logs tab .
Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything , then right-click and choose copy.
Click close and close again to exit the program.
Now please paste the removal information along with a fresh HijackThis log and the log from ComboFix in your reply. If it's a large log, you may need several replies to post it.

MrC

#3 Baard Larsen

New Member

New Member
7 posts

Posted 11 December 2007 - 10:56 AM

Hi there.
And thanks a lot for the reply.
My log-files for ComboFix and Hijackthis is attached.
As I have Trend Micro PC-Cillin 2008 Pro installed I have not installet another antivirus program.
But av PCC-scan not shows no hits.

Does this mean I am clean?

Best regards,
Baard Larsen

-----------------------------------------------
ComboFix 07-12-09.1 - Baard Larsen 2007-12-11 17:40:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.469 [GMT 1:00]
Running from: C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programfiler\SecCenter
C:\WINXP\cookies.ini
C:\WINXP\system32\awvvw.dll
C:\WINXP\system32\bjlsruxq.dll
C:\WINXP\system32\ddabb.dll
C:\WINXP\system32\ddaby.dll
C:\WINXP\system32\ddayy.dll
C:\WINXP\system32\fpdsjqfs.dll
C:\WINXP\system32\gebya.dll
C:\WINXP\system32\geeby.dll
C:\WINXP\system32\geedb.dll
C:\WINXP\system32\hjigxius.dll
C:\WINXP\system32\jkkklli.dll
C:\WINXP\system32\ljjjigd.dll
C:\WINXP\system32\mlljk.dll
C:\WINXP\system32\mllml.dll
C:\WINXP\system32\nuinopsd
C:\WINXP\system32\nuinopsd\bg1.gif
C:\WINXP\system32\nuinopsd\bgtop.gif
C:\WINXP\system32\nuinopsd\bottom1.gif
C:\WINXP\system32\nuinopsd\essentials.gif
C:\WINXP\system32\nuinopsd\icon1.ico
C:\WINXP\system32\nuinopsd\install1.gif
C:\WINXP\system32\nuinopsd\left1.gif
C:\WINXP\system32\nuinopsd\li.gif
C:\WINXP\system32\nuinopsd\logo.gif
C:\WINXP\system32\nuinopsd\main.htm
C:\WINXP\system32\nuinopsd\mainframe.htm
C:\WINXP\system32\nuinopsd\nuinopsd1.exe
C:\WINXP\system32\nuinopsd\reinstall1.gif
C:\WINXP\system32\nuinopsd\right1.gif
C:\WINXP\system32\nuinopsd\s1.htm
C:\WINXP\system32\nuinopsd\s2.htm
C:\WINXP\system32\nuinopsd\s3.htm
C:\WINXP\system32\nuinopsd\SMTop1.gif
C:\WINXP\system32\nuinopsd\SMTop2.gif
C:\WINXP\system32\nuinopsd\SMTop3.gif
C:\WINXP\system32\nuinopsd\SMTop4.gif
C:\WINXP\system32\nuinopsd\soft1_off.gif
C:\WINXP\system32\nuinopsd\soft1_off_ext.gif
C:\WINXP\system32\nuinopsd\soft1_on.gif
C:\WINXP\system32\nuinopsd\soft1_on_ext.gif
C:\WINXP\system32\nuinopsd\soft2_off.gif
C:\WINXP\system32\nuinopsd\soft2_off_ext.gif
C:\WINXP\system32\nuinopsd\soft2_on.gif
C:\WINXP\system32\nuinopsd\soft2_on_ext.gif
C:\WINXP\system32\nuinopsd\soft3_off.gif
C:\WINXP\system32\nuinopsd\soft3_off_ext.gif
C:\WINXP\system32\nuinopsd\soft3_on.gif
C:\WINXP\system32\nuinopsd\soft3_on_ext.gif
C:\WINXP\system32\nuinopsd\softbottom_off.gif
C:\WINXP\system32\nuinopsd\softbottom_on.gif
C:\WINXP\system32\nuinopsd\softleft_off.gif
C:\WINXP\system32\nuinopsd\softleft_on.gif
C:\WINXP\system32\nuinopsd\top1.gif
C:\WINXP\system32\nuinopsd\top2.gif
C:\WINXP\system32\nuinopsd\turnoff1.gif
C:\WINXP\system32\nuinopsd\turnon1.gif
C:\WINXP\system32\pmkjk.dll
C:\WINXP\system32\pmnll.dll
C:\WINXP\system32\qxursljb.ini
C:\WINXP\system32\sfqjsdpf.ini
C:\WINXP\system32\winhoq32.dll
C:\WINXP\system32\yayvtur.dll
C:\WINXP\system32\ybadd.ini
C:\WINXP\system32\ybadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 02:22 . 2007-12-10 02:22 <DIR> d-------- C:\VundoFix Backups
2007-12-10 01:40 . 2007-12-10 01:40 <DIR> d-------- C:\WINXP\kdefense
2007-12-10 01:40 . 2007-12-10 01:40 846,336 --a------ C:\WINXP\system32\kdfinj.dll
2007-12-10 01:40 . 2007-12-11 17:31 722,472 --a------ C:\WINXP\system32\kdfmgr.exe
2007-12-10 01:40 . 2007-12-11 17:31 192,512 --a------ C:\WINXP\system32\kdfvmgr.exe
2007-12-10 01:40 . 2007-12-11 17:31 77,824 --a------ C:\WINXP\system32\kdfapi.dll
2007-12-10 01:40 . 2007-12-11 17:31 53,248 --a------ C:\WINXP\system32\Kdfhok.dll
2007-12-10 01:36 . 2007-12-10 01:36 <DIR> d-------- C:\WINXP\LocalSSL
2007-12-10 01:36 . 2007-10-27 01:53 138,512 --a------ C:\WINXP\system32\drivers\tmcomm.sys
2007-12-10 01:36 . 2007-10-27 01:53 52,496 --a------ C:\WINXP\system32\drivers\tmactmon.sys
2007-12-10 01:35 . 2007-12-10 01:36 <DIR> d-------- C:\Programfiler\Trend Micro
2007-12-09 23:49 . 2006-10-26 19:58 30,512 --a------ C:\WINXP\system32\mdimon.dll
2007-12-09 23:40 . 2007-12-09 23:40 <DIR> dr-h----- C:\MSOCache
2007-12-09 14:38 . 2007-12-09 14:38 103,936 --a------ C:\WINXP\system32\drvniw.dll
2007-12-08 23:15 . 2007-12-08 23:17 143 --a------ C:\WINXP\system32\mcrh.tmp
2007-12-08 22:26 . 2007-12-08 22:26 223 --a------ C:\WINXP\wininit.ini
2007-12-08 21:42 . 2007-12-10 00:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Spybot - Search & Destroy
2007-12-08 21:39 . 2007-12-08 21:39 23 --a------ C:\WINXP\system32\eface_g.ocx
2007-12-08 21:39 . 2007-12-08 21:39 23 --ahs---- C:\WINXP\system32\eebdbd0_g.dll
2007-12-08 19:45 . 2007-12-09 23:20 2,560 --a------ C:\WINXP\system32\drivers\mchInjDrv.sys
2007-12-05 23:54 . 2007-12-05 23:54 7,053 --a------ C:\WINXP\system32\ddcyy.dll
2007-12-05 22:54 . 2007-12-05 22:54 7,053 --a------ C:\WINXP\system32\vtsqo.dll
2007-12-05 19:28 . 2007-12-05 19:28 7,053 --a------ C:\WINXP\system32\pmnnl.dll
2007-12-05 18:28 . 2007-12-05 18:28 7,053 --a------ C:\WINXP\system32\sstts.dll
2007-12-05 17:05 . 2007-12-05 17:05 7,053 --a------ C:\WINXP\system32\ddabc.dll
2007-12-04 19:09 . 2007-12-04 19:09 7,053 --a------ C:\WINXP\system32\vturo.dll
2007-12-04 06:24 . 2007-12-04 06:24 7,053 --a------ C:\WINXP\system32\pmkhh.dll
2007-12-04 01:24 . 2007-12-04 01:24 7,053 --a------ C:\WINXP\system32\jkkli.dll
2007-12-04 00:29 . 2007-12-05 23:57 <DIR> d-------- C:\Documents and Settings\Baard Larsen.BAARD\.housecall6.6
2007-12-03 18:45 . 2007-12-09 23:28 <DIR> d-------- C:\Programfiler\Enigma Software Group
2007-12-03 18:03 . 2007-12-09 14:47 11,776 --ahs---- C:\WINXP\Thumbs.db
2007-12-03 18:03 . 2007-12-10 00:04 6,144 --ahs---- C:\WINXP\system32\Thumbs.db
2007-11-27 21:20 . 2007-09-01 03:43 1,041,656 --a------ C:\WINXP\vuepro32.exe
2007-11-27 21:20 . 2007-09-01 03:43 267,288 --a------ C:\WINXP\vuepro32.hlp
2007-11-27 21:20 . 2007-09-01 03:43 51,834 --a------ C:\WINXP\vuepro32.jpg
2007-11-27 21:20 . 2007-12-03 18:54 167 --a------ C:\WINXP\vuepro32.ini
2007-11-26 18:07 . 2007-11-26 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\ATI
2007-11-25 22:26 . 2006-06-14 13:44 12,288 -ra------ C:\WINXP\system32\drivers\EIO_XP.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 00:54 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Microsoft Help
2007-12-10 00:41 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Trend Micro
2007-12-03 17:05 --------- d-----w C:\Programfiler\Windows Media Connect 2
2007-12-03 17:05 --------- d-----w C:\Programfiler\hp deskjet 5550 series
2007-12-03 17:05 --------- d-----w C:\Programfiler\FTP Pro
2007-12-03 17:05 --------- d-----w C:\Programfiler\DIY DataRecovery DiskPatch 3
2007-11-26 19:29 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2007-11-25 21:44 --------- d-----w C:\Programfiler\ATI Technologies
2007-11-23 18:12 --------- d-----w C:\Programfiler\daTax
2007-10-27 00:53 65,936 ----a-w C:\WINXP\system32\drivers\tmtdi.sys
2007-10-27 00:53 52,368 ----a-w C:\WINXP\system32\drivers\tmevtmgr.sys
2007-10-27 00:53 36,112 ----a-w C:\WINXP\system32\drivers\tmpreflt.sys
2007-10-27 00:53 333,328 ----a-w C:\WINXP\system32\drivers\TM_CFW.sys
2007-10-27 00:53 203,024 ----a-w C:\WINXP\system32\drivers\tmxpflt.sys
2007-10-27 00:53 1,126,328 ----a-w C:\WINXP\system32\drivers\vsapint.sys
2007-10-16 21:40 2,642,944 ----a-w C:\WINXP\system32\drivers\ati2mtag.sys
2007-10-16 20:16 49,152 ----a-w C:\WINXP\system32\drivers\ati2erec.dll
2007-10-16 14:41 --------- d-----w C:\Programfiler\Java
2007-10-14 14:01 --------- d--h--r C:\Documents and Settings\Baard Larsen.BAARD\Programdata\SecuROM
2007-10-14 14:01 --------- d--h--r C:\DOCUME~1\BAARDL~2.BAA\PROGRA~1\SecuROM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2007-09-18 21:06 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList"="C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 14:41]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 13:00]
"TrendSecure Remote File Lock"="C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2007-09-26 23:43]
"OE"="C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-10-27 01:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-10-27 01:53]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 13:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Programfiler\E-post\EuShlExt.dll [ ]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Logitech SetPoint.lnk
backup=C:\WINXP\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Microsoft Office.lnk
backup=C:\WINXP\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b3984fd6]
rundll32.exe C:\WINXP\system32\bjlsruxq.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 18:03 152872 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bovytgrc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINXP\system32\drvxat.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 --a------ C:\WINXP\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcvmzofo]
regsvr32 /u C:\Documents and Settings\All Users.WINXP\Programdata\fcvmzofo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-08-03 01:26 188416 --a------ C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khipgdkd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programfiler\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Owmo]
c:\winxp\system32\javaw.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINXP\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programfiler\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINXP\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 --a------ C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufanqtqn]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

R1 EIO_XP;EIO_XP;\??\C:\WINXP\system32\drivers\EIO_XP.sys
R1 mchInjDrv;madCodeHook DLL injection driver;\??\C:\WINXP\system32\Drivers\mchInjDrv.sys
R2 Apache2.2;Apache2.2;"C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice
R2 LBeepKE;LBeepKE;C:\WINXP\system32\Drivers\LBeepKE.sys
R3 cmeu0wdm;CardMan 2020;C:\WINXP\system32\DRIVERS\cmeu0wdm.sys
S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINXP\system32\DRIVERS\sccmusbm.sys
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINXP\system32\DRIVERS\SMCWGU.sys
S3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINXP\system32\DRIVERS\WrKPoETNic2000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LCD.exe

.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 17:49:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 17:52:07 - machine was rebooted
.
--- E O F ---

---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:48, on 11.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Programfiler\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINXP\system32\ctfmon.exe
C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\SearchIndexer.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\system32\SearchProtocolHost.exe
C:\Programfiler\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINXP\system32\wscntfy.exe
C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [LaunchList] C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winxp\system32\nwprovau.dll
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted IP range: http://195.204.91.130
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186952911120
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.buypass.n...ogram/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINXP\system32\drivers\pclepci.sys
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6995 bytes

Attached Files

hijackthis.txt 6.83KB 171 downloads
ComboFix.txt 14.71KB 171 downloads

#4 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 11 December 2007 - 07:40 PM

Please don't attach the files...copy and paste them here.

Did you put this in your Internet Explorers Trusted Zones?
If not please have HJT fix it:

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

O15 - Trusted IP range: http://195.204.91.130

Click on Fix Checked and exit HijackThis.

--------------------------------

Find these two files and right click on them and choose properties, see if you can find out what they belong to.

C:\WINXP\system32\drivers\EIO_XP.sys
C:\WINXP\system32\Drivers\mchInjDrv.sys

If you're not sure, upload them
HERE for a free scan - let me know the results.

If it's too busy - try here:
http://www.virustota.../en/indexf.html

--------------------------------

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINXP\system32\eface_g.ocx
C:\WINXP\system32\eebdbd0_g.dll
C:\WINXP\system32\ddcyy.dll
C:\WINXP\system32\vtsqo.dll
C:\WINXP\system32\pmnnl.dll
C:\WINXP\system32\sstts.dll
C:\WINXP\system32\ddabc.dll
C:\WINXP\system32\vturo.dll
C:\WINXP\system32\pmkhh.dll
C:\WINXP\system32\jkkli.dll
C:\WINXP\system32\drvxat.dll
C:\Documents and Settings\All Users.WINXP\Programdata\fcvmzofo.dll
c:\winxp\system32\javaw.exe
C:\WINXP\system32\printer.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b3984fd6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bovytgrc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcvmzofo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khipgdkd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Owmo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufanqtqn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

Save as CFScript.txt
Change the "Save as type" to "All Files"
Save it to the Desktop.
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log in your next reply and a fresh HJT log, MrC

#5 Baard Larsen

New Member

New Member
7 posts

Posted 13 December 2007 - 11:52 AM

Hello again.
The trusted IP-adress is for my webserver at home.
The two files in question is ASUS Kernel Mode Driver for NT and the DRV-file is Trojan.Small-4369 according to http://www.virustotal.com.

I will run the Combofix anf come back with a fresh log.

Baard

#6 Baard Larsen

New Member

New Member
7 posts

Posted 13 December 2007 - 01:16 PM

Hi again.
Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07:13, on 13.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Programfiler\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINXP\system32\ctfmon.exe
C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\SearchIndexer.exe
C:\Programfiler\Trend Micro\BM\TMBMSRV.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe
C:\Programfiler\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\HiJackThis_v2.exe
C:\Junior\Ny e-post\eudora.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LaunchList] C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winxp\system32\nwprovau.dll
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted IP range: http://195.204.91.130
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186952911120
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.buypass.n...ogram/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINXP\system32\drivers\pclepci.sys
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7412 bytes

Here is the Combofix-log:
ComboFix 07-12-09.1 - Baard Larsen 2007-12-13 19:52:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.579 [GMT 1:00]
Running from: C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users.WINXP\Programdata\fcvmzofo.dll
C:\WINXP\system32\ddabc.dll
C:\WINXP\system32\ddcyy.dll
C:\WINXP\system32\drvxat.dll
C:\WINXP\system32\eebdbd0_g.dll
C:\WINXP\system32\eface_g.ocx
c:\winxp\system32\javaw.exe
C:\WINXP\system32\jkkli.dll
C:\WINXP\system32\pmkhh.dll
C:\WINXP\system32\pmnnl.dll
C:\WINXP\system32\printer.exe
C:\WINXP\system32\sstts.dll
C:\WINXP\system32\vtsqo.dll
C:\WINXP\system32\vturo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINXP\system32\ddabc.dll
C:\WINXP\system32\ddcyy.dll
C:\WINXP\system32\drvxat.dll
C:\WINXP\system32\eebdbd0_g.dll
C:\WINXP\system32\eface_g.ocx
c:\winxp\system32\javaw.exe
C:\WINXP\system32\jkkli.dll
C:\WINXP\system32\pmkhh.dll
C:\WINXP\system32\pmnnl.dll
C:\WINXP\system32\sstts.dll
C:\WINXP\system32\vtsqo.dll
C:\WINXP\system32\vturo.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-10 01:40 . 2007-12-10 01:40 <DIR> d-------- C:\WINXP\kdefense
2007-12-10 01:40 . 2007-12-10 01:40 846,336 --a------ C:\WINXP\system32\kdfinj.dll
2007-12-10 01:40 . 2007-12-11 17:31 722,472 --a------ C:\WINXP\system32\kdfmgr.exe
2007-12-10 01:40 . 2007-12-11 17:31 192,512 --a------ C:\WINXP\system32\kdfvmgr.exe
2007-12-10 01:40 . 2007-12-11 17:31 77,824 --a------ C:\WINXP\system32\kdfapi.dll
2007-12-10 01:40 . 2007-12-11 17:31 53,248 --a------ C:\WINXP\system32\Kdfhok.dll
2007-12-10 01:36 . 2007-12-10 01:36 <DIR> d-------- C:\WINXP\LocalSSL
2007-12-10 01:36 . 2007-10-27 01:53 138,512 --a------ C:\WINXP\system32\drivers\tmcomm.sys
2007-12-10 01:36 . 2007-10-27 01:53 52,496 --a------ C:\WINXP\system32\drivers\tmactmon.sys
2007-12-10 01:35 . 2007-12-10 01:36 <DIR> d-------- C:\Programfiler\Trend Micro
2007-12-09 23:49 . 2006-10-26 19:58 30,512 --a------ C:\WINXP\system32\mdimon.dll
2007-12-09 23:40 . 2007-12-09 23:40 <DIR> dr-h----- C:\MSOCache
2007-12-09 14:38 . 2007-12-09 14:38 103,936 --a------ C:\WINXP\system32\drvniw.dll
2007-12-08 23:15 . 2007-12-08 23:17 143 --a------ C:\WINXP\system32\mcrh.tmp
2007-12-08 22:26 . 2007-12-08 22:26 223 --a------ C:\WINXP\wininit.ini
2007-12-08 21:42 . 2007-12-10 00:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Spybot - Search & Destroy
2007-12-08 19:45 . 2007-12-09 23:20 2,560 --a------ C:\WINXP\system32\drivers\mchInjDrv.sys
2007-12-04 00:29 . 2007-12-05 23:57 <DIR> d-------- C:\Documents and Settings\Baard Larsen.BAARD\.housecall6.6
2007-12-03 18:45 . 2007-12-09 23:28 <DIR> d-------- C:\Programfiler\Enigma Software Group
2007-12-03 18:03 . 2007-12-09 14:47 11,776 --ahs---- C:\WINXP\Thumbs.db
2007-12-03 18:03 . 2007-12-10 00:04 6,144 --ahs---- C:\WINXP\system32\Thumbs.db
2007-11-27 21:20 . 2007-09-01 03:43 1,041,656 --a------ C:\WINXP\vuepro32.exe
2007-11-27 21:20 . 2007-09-01 03:43 267,288 --a------ C:\WINXP\vuepro32.hlp
2007-11-27 21:20 . 2007-09-01 03:43 51,834 --a------ C:\WINXP\vuepro32.jpg
2007-11-27 21:20 . 2007-12-03 18:54 167 --a------ C:\WINXP\vuepro32.ini
2007-11-26 18:07 . 2007-11-26 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\ATI
2007-11-25 22:26 . 2006-06-14 13:44 12,288 -ra------ C:\WINXP\system32\drivers\EIO_XP.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 17:01 --------- d-----w C:\Documents and Settings\Baard Larsen.BAARD\Programdata\Ahead
2007-12-12 17:01 --------- d-----w C:\DOCUME~1\BAARDL~2.BAA\PROGRA~1\Ahead
2007-12-10 00:54 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Microsoft Help
2007-12-10 00:41 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Trend Micro
2007-12-03 17:05 --------- d-----w C:\Programfiler\Windows Media Connect 2
2007-12-03 17:05 --------- d-----w C:\Programfiler\hp deskjet 5550 series
2007-12-03 17:05 --------- d-----w C:\Programfiler\FTP Pro
2007-12-03 17:05 --------- d-----w C:\Programfiler\DIY DataRecovery DiskPatch 3
2007-11-26 19:29 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2007-11-25 21:44 --------- d-----w C:\Programfiler\ATI Technologies
2007-11-23 18:12 --------- d-----w C:\Programfiler\daTax
2007-10-27 00:53 65,936 ----a-w C:\WINXP\system32\drivers\tmtdi.sys
2007-10-27 00:53 52,368 ----a-w C:\WINXP\system32\drivers\tmevtmgr.sys
2007-10-27 00:53 36,112 ----a-w C:\WINXP\system32\drivers\tmpreflt.sys
2007-10-27 00:53 333,328 ----a-w C:\WINXP\system32\drivers\TM_CFW.sys
2007-10-27 00:53 203,024 ----a-w C:\WINXP\system32\drivers\tmxpflt.sys
2007-10-27 00:53 1,126,328 ----a-w C:\WINXP\system32\drivers\vsapint.sys
2007-10-16 21:40 2,642,944 ----a-w C:\WINXP\system32\drivers\ati2mtag.sys
2007-10-16 21:05 364,544 ----a-w C:\WINXP\system32\ATIDEMGX.dll
2007-10-16 21:04 268,288 ----a-w C:\WINXP\system32\ati2dvag.dll
2007-10-16 20:56 43,520 ----a-w C:\WINXP\system32\ati2edxx.dll
2007-10-16 20:56 307,200 ----a-w C:\WINXP\system32\atiiiexx.dll
2007-10-16 20:56 26,112 ----a-w C:\WINXP\system32\Ati2mdxx.exe
2007-10-16 20:56 143,360 ----a-w C:\WINXP\system32\atipdlxx.dll
2007-10-16 20:56 122,880 ----a-w C:\WINXP\system32\Oemdspif.dll
2007-10-16 20:55 122,880 ----a-w C:\WINXP\system32\ati2evxx.dll
2007-10-16 20:54 495,616 ----a-w C:\WINXP\system32\ati2evxx.exe
2007-10-16 20:53 53,248 ----a-w C:\WINXP\system32\ATIDDC.DLL
2007-10-16 20:48 9,244,672 ----a-w C:\WINXP\system32\atioglx2.dll
2007-10-16 20:44 3,133,056 ----a-w C:\WINXP\system32\ati3duag.dll
2007-10-16 20:33 1,601,664 ----a-w C:\WINXP\system32\ativvaxx.dll
2007-10-16 20:19 5,435,392 ----a-w C:\WINXP\system32\atioglxx.dll
2007-10-16 20:19 376,832 ----a-w C:\WINXP\system32\atikvmag.dll
2007-10-16 20:17 17,408 ----a-w C:\WINXP\system32\atitvo32.dll
2007-10-16 20:16 49,152 ----a-w C:\WINXP\system32\drivers\ati2erec.dll
2007-10-16 20:15 172,032 ----a-w C:\WINXP\system32\atiok3x2.dll
2007-10-16 20:11 499,712 ----a-w C:\WINXP\system32\ati2cqag.dll
2007-10-16 14:41 --------- d-----w C:\Programfiler\Java
2007-10-14 14:01 107,888 ----a-w C:\WINXP\system32\CmdLineExt.dll
2007-10-14 14:01 --------- d--h--r C:\Documents and Settings\Baard Larsen.BAARD\Programdata\SecuROM
2007-10-14 14:01 --------- d--h--r C:\DOCUME~1\BAARDL~2.BAA\PROGRA~1\SecuROM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2007-09-18 21:06 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList"="C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 14:41]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 13:00]
"TrendSecure Remote File Lock"="C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2007-09-26 23:43]
"OE"="C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-10-27 01:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-10-27 01:53]
"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-06-29 05:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 13:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Programfiler\E-post\EuShlExt.dll [ ]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Logitech SetPoint.lnk
backup=C:\WINXP\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Microsoft Office.lnk
backup=C:\WINXP\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 18:03 152872 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 --a------ C:\WINXP\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-08-03 01:26 188416 --a------ C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programfiler\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programfiler\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINXP\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 12:35 90112 --a------ C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]

R1 EIO_XP;EIO_XP;\??\C:\WINXP\system32\drivers\EIO_XP.sys
R1 mchInjDrv;madCodeHook DLL injection driver;\??\C:\WINXP\system32\Drivers\mchInjDrv.sys
R2 Apache2.2;Apache2.2;"C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice
R2 LBeepKE;LBeepKE;C:\WINXP\system32\Drivers\LBeepKE.sys
R3 cmeu0wdm;CardMan 2020;C:\WINXP\system32\DRIVERS\cmeu0wdm.sys
S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINXP\system32\DRIVERS\sccmusbm.sys
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINXP\system32\DRIVERS\SMCWGU.sys
S3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINXP\system32\DRIVERS\WrKPoETNic2000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LCD.exe

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.3156]
-> C:\Programfiler\FTP Pro\nsftpch.dll
-> C:\DOCUME~1\BAARDL~2.BAA\LOKALE~1\Temp\qgsglsyc.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 19:57:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 19:59:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 17:52
.
--- E O F ---

#7 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 15 December 2007 - 05:29 PM

I apologize for the delay...some how I missed your reply.
Please do this: (same as before)

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINXP\system32\Drivers\mchInjDrv.sys
C:\DOCUME~1\BAARDL~2.BAA\LOKALE~1\Temp\qgsglsyc.dll

Driver::
mchInjDrv

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

Save as CFScript.txt
Change the "Save as type" to "All Files"
Save it to the Desktop.
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log in your next reply and a fresh HJT log, MrC

#8 Baard Larsen

New Member

New Member
7 posts

Posted 15 December 2007 - 06:02 PM

Hello again. Here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:59:27, on 16.12.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINXP\System32\smss.exe C:\WINXP\system32\winlogon.exe C:\WINXP\system32\services.exe C:\WINXP\system32\lsass.exe C:\WINXP\system32\Ati2evxx.exe C:\WINXP\system32\svchost.exe C:\WINXP\System32\svchost.exe C:\WINXP\system32\Ati2evxx.exe C:\WINXP\system32\spoolsv.exe C:\WINXP\Explorer.EXE C:\Programfiler\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINXP\system32\ctfmon.exe C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe C:\WINXP\system32\svchost.exe C:\WINXP\system32\SearchIndexer.exe C:\Programfiler\Trend Micro\BM\TMBMSRV.exe C:\WINXP\System32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe C:\WINXP\system32\wuauclt.exe C:\Programfiler\Trend Micro\TrendSecure\TSCFCommander.exe C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\HiJackThis_v2.exe C:\Programfiler\Internet Explorer\IEXPLORE.EXE C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [LaunchList] C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe O4 - HKCU\..\Run: [OE] "C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programfiler\BitComet\tools\BitCometBHO_1.1.7.4.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\winxp\system32\nwprovau.dll O15 - Trusted Zone: http://www.msi.com.tw O15 - Trusted IP range: http://195.204.91.130 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186952911120 O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - http://www.buypass.n...ogram/setup.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab O23 - Service: Apache2.2 - Apache Software Foundation - C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINXP\system32\drivers\pclepci.sys O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Programfiler\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Programfiler\Trend Micro\Internet Security\TmProxy.exe -- End of file - 7411 bytes And CF-log: ComboFix 07-12-09.1 - Baard Larsen 2007-12-16 0:52:00.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.544 [GMT 1:00] Running from: C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\Baard Larsen.BAARD\Skrivebord\CFScript.txt * Created a new restore point FILE C:\DOCUME~1\BAARDL~2.BAA\LOKALE~1\Temp\qgsglsyc.dll C:\WINXP\system32\Drivers\mchInjDrv_old.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINXP\system32\Drivers\mchInjDrv_old.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_MCHINJDRV -------\mchInjDrv ((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 ))))))))))))))))))))))))))))))) . 2007-12-13 20:29 . 2007-12-13 20:29 5,632 --ahs---- C:\Thumbs.db 2007-12-10 01:40 . 2007-12-13 20:00 <DIR> d-------- C:\WINXP\kdefense 2007-12-10 01:40 . 2007-12-10 01:40 846,336 --a------ C:\WINXP\system32\kdfinj.dll 2007-12-10 01:40 . 2007-12-11 17:31 722,472 --a------ C:\WINXP\system32\kdfmgr.exe 2007-12-10 01:40 . 2007-12-11 17:31 192,512 --a------ C:\WINXP\system32\kdfvmgr.exe 2007-12-10 01:40 . 2007-12-11 17:31 77,824 --a------ C:\WINXP\system32\kdfapi.dll 2007-12-10 01:40 . 2007-12-11 17:31 53,248 --a------ C:\WINXP\system32\Kdfhok.dll 2007-12-10 01:36 . 2007-12-10 01:36 <DIR> d-------- C:\WINXP\LocalSSL 2007-12-10 01:36 . 2007-10-27 01:53 138,512 --a------ C:\WINXP\system32\drivers\tmcomm.sys 2007-12-10 01:36 . 2007-10-27 01:53 52,496 --a------ C:\WINXP\system32\drivers\tmactmon.sys 2007-12-10 01:35 . 2007-12-10 01:36 <DIR> d-------- C:\Programfiler\Trend Micro 2007-12-09 23:49 . 2006-10-26 19:58 30,512 --a------ C:\WINXP\system32\mdimon.dll 2007-12-09 23:40 . 2007-12-09 23:40 <DIR> dr-h----- C:\MSOCache 2007-12-09 14:38 . 2007-12-09 14:38 103,936 --a------ C:\WINXP\system32\drvniw.dll 2007-12-08 23:15 . 2007-12-08 23:17 143 --a------ C:\WINXP\system32\mcrh.tmp 2007-12-08 22:26 . 2007-12-08 22:26 223 --a------ C:\WINXP\wininit.ini 2007-12-08 21:42 . 2007-12-10 00:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Spybot - Search & Destroy 2007-12-04 00:29 . 2007-12-05 23:57 <DIR> d-------- C:\Documents and Settings\Baard Larsen.BAARD\.housecall6.6 2007-12-03 18:45 . 2007-12-09 23:28 <DIR> d-------- C:\Programfiler\Enigma Software Group 2007-12-03 18:03 . 2007-12-13 20:29 17,920 --ahs---- C:\WINXP\Thumbs.db 2007-12-03 18:03 . 2007-12-13 20:00 6,144 --ahs---- C:\WINXP\system32\Thumbs.db 2007-11-27 21:20 . 2007-09-01 03:43 1,041,656 --a------ C:\WINXP\vuepro32.exe 2007-11-27 21:20 . 2007-09-01 03:43 267,288 --a------ C:\WINXP\vuepro32.hlp 2007-11-27 21:20 . 2007-09-01 03:43 51,834 --a------ C:\WINXP\vuepro32.jpg 2007-11-27 21:20 . 2007-12-03 18:54 167 --a------ C:\WINXP\vuepro32.ini 2007-11-26 18:07 . 2007-11-26 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\ATI 2007-11-25 22:26 . 2006-06-14 13:44 12,288 -ra------ C:\WINXP\system32\drivers\EIO_XP.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-15 23:19 --------- d-----w C:\Programfiler\Quark 2007-12-13 22:02 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Microsoft Help 2007-12-13 19:24 --------- d-----w C:\Documents and Settings\Baard Larsen.BAARD\Programdata\Thunderbird 2007-12-13 19:24 --------- d-----w C:\DOCUME~1\BAARDL~2.BAA\PROGRA~1\Thunderbird 2007-12-12 17:01 --------- d-----w C:\Documents and Settings\Baard Larsen.BAARD\Programdata\Ahead 2007-12-12 17:01 --------- d-----w C:\DOCUME~1\BAARDL~2.BAA\PROGRA~1\Ahead 2007-12-10 00:41 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\PROGRA~1\Trend Micro 2007-12-03 17:05 --------- d-----w C:\Programfiler\Windows Media Connect 2 2007-12-03 17:05 --------- d-----w C:\Programfiler\hp deskjet 5550 series 2007-12-03 17:05 --------- d-----w C:\Programfiler\FTP Pro 2007-12-03 17:05 --------- d-----w C:\Programfiler\DIY DataRecovery DiskPatch 3 2007-11-26 19:29 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2007-11-25 21:44 --------- d-----w C:\Programfiler\ATI Technologies 2007-11-23 18:12 --------- d-----w C:\Programfiler\daTax 2007-10-27 00:53 65,936 ----a-w C:\WINXP\system32\drivers\tmtdi.sys 2007-10-27 00:53 52,368 ----a-w C:\WINXP\system32\drivers\tmevtmgr.sys 2007-10-27 00:53 36,112 ----a-w C:\WINXP\system32\drivers\tmpreflt.sys 2007-10-27 00:53 333,328 ----a-w C:\WINXP\system32\drivers\TM_CFW.sys 2007-10-27 00:53 203,024 ----a-w C:\WINXP\system32\drivers\tmxpflt.sys 2007-10-27 00:53 1,126,328 ----a-w C:\WINXP\system32\drivers\vsapint.sys 2007-10-16 21:40 2,642,944 ----a-w C:\WINXP\system32\drivers\ati2mtag.sys 2007-10-16 20:16 49,152 ----a-w C:\WINXP\system32\drivers\ati2erec.dll 2007-10-16 14:41 --------- d-----w C:\Programfiler\Java . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Programfiler\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2007-09-18 21:06 103760] [HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}] [HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1] [HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}] [HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchList"="C:\Programfiler\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 14:41] "ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 13:00] "TrendSecure Remote File Lock"="C:\Programfiler\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2007-09-26 23:43] "OE"="C:\Programfiler\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-10-27 01:54] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35] "UfSeAgnt.exe"="C:\Programfiler\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-10-27 01:53] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-06-29 05:24] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 13:00] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Programfiler\E-post\EuShlExt.dll [ ] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programfiler\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Logitech SetPoint.lnk] path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Logitech SetPoint.lnk backup=C:\WINXP\pss\Logitech SetPoint.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINXP^Start-meny^Programmer^Oppstart^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINXP\Start-meny\Programmer\Oppstart\Microsoft Office.lnk backup=C:\WINXP\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2007-06-27 18:03 152872 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-04 13:00 15360 --a------ C:\WINXP\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2002-08-03 01:26 188416 --a------ C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Programfiler\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2007-03-01 14:57 153136 --a------ C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Programfiler\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv] C:\WINXP\system32\spoolvs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2006-11-10 12:35 90112 --a------ C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe] R1 EIO_XP;EIO_XP;\??\C:\WINXP\system32\drivers\EIO_XP.sys R2 Apache2.2;Apache2.2;"C:\Programfiler\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice R2 LBeepKE;LBeepKE;C:\WINXP\system32\Drivers\LBeepKE.sys R3 cmeu0wdm;CardMan 2020;C:\WINXP\system32\DRIVERS\cmeu0wdm.sys S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINXP\system32\DRIVERS\sccmusbm.sys S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINXP\system32\DRIVERS\SMCWGU.sys S3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINXP\system32\DRIVERS\WrKPoETNic2000.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\LCD.exe . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.3156] -> C:\Programfiler\FTP Pro\nsftpch.dll -> C:\DOCUME~1\BAARDL~2.BAA\LOKALE~1\Temp\qgsglsyc.dll . ************************************************************************** catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-16 00:56:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-16 0:58:01 - machine was rebooted . --- E O F --- All things looking good? Baard

#9 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 15 December 2007 - 06:34 PM

Looks OK to me....How's it running, MrC

#10 Baard Larsen

New Member

New Member
7 posts

Posted 15 December 2007 - 06:45 PM

Machine runs well now. Tried a virus scan and no hits.Just need to fix the harddisk 2 problem and we are ok.I'll send U a donation as a token of my appreciation!Baard LarsenNorway

#11 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 15 December 2007 - 07:03 PM

OK.....Great

To tidy up a bit:

Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

This is what will happen:

These will be deleted:ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Then these tasks will be performed:Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

-------------------------------------

If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance: (some of these you just did!)

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)
C:\_OTMOVEIT folder (OTMoveIt)

RVAXO:
You can use Uninstall.cmd to remove everything from RVAXO, it will be found in the RVAXO-folder on your desktop.

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.

------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point (XP only):

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVir® PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 3<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial

Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Slow Computer - Check Here

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC

#12 Baard Larsen

New Member

New Member
7 posts

Posted 16 December 2007 - 06:10 AM

Brilliant.Removed an old Java and changed size of hostfiles.Somethings runs smoother now.Sendt U a donation on $50.Thanks for the help!

#13 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 16 December 2007 - 07:48 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.Everyone else please begin a New Topic.

Body Background

skin color theme