Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Infected with W32.Trats!inf need help to cleanup


  • This topic is locked This topic is locked
7 replies to this topic

#1 stargate

stargate

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 10 January 2008 - 01:50 PM

Two days ago my system windowsXP SP2 got infected. I have symantec on my system it must have been turned off at the time. anyway I have looked at this forum and followed this so afr http://forums.whatth...ion_t86964.html
up to running the combofix.txt
My system have been rebooted but symantec Auto protect is tsill catching the W32.Trats!inf on my system which tells me it is still not clean here is the combofix.txt log:

ComboFix 08-01-10.2 - rmunad 2008-01-10 10:29:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1284 [GMT -8:00]
Running from: C:\Documents and Settings\rmunad\Local Settings\Temporary Internet Files\Content.IE5\8PKFOVKJ\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\vVX1000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 10:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 07:00 . 2008-01-10 08:00 <DIR> d-------- C:\Documents and Settings\rmunad\Application Data\skypePM
2008-01-10 07:00 . 2008-01-10 07:00 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 06:59 . 2008-01-10 06:59 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-08 20:54 . 2008-01-08 20:54 707,376 --a------ C:\WINDOWS\vVX1000 .exe
2008-01-08 20:54 . 2008-01-08 20:54 45,632 --a------ C:\WINDOWS\system32\taskswitch .exe
2008-01-08 20:29 . 2008-01-08 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 20:19 . 2008-01-08 20:55 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-08 20:12 . 2008-01-08 20:21 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-08 20:12 . 2008-01-08 20:12 <DIR> d-------- C:\Temp\cEeer12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 18:24 --------- d-----w C:\Documents and Settings\rmunad\Application Data\Skype
2008-01-10 14:52 --------- d-----w C:\Program Files\LogMeIn
2008-01-09 19:47 --------- d-----w C:\Program Files\QuickTime
2008-01-09 19:47 --------- d-----w C:\Program Files\Pamela
2008-01-09 19:47 --------- d-----w C:\Program Files\Athan
2008-01-09 16:36 --------- d-----w C:\Program Files\Windows Defender
2008-01-09 16:36 --------- d-----w C:\Program Files\j2 Messenger 4.2
2008-01-09 16:36 --------- d-----w C:\Program Files\DellSupport
2008-01-09 16:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-09 16:35 --------- d-----w C:\Program Files\MSN Messenger
2008-01-09 04:55 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-08 06:44 --------- d-----w C:\Program Files\Microsoft LifeCam
2007-12-06 22:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 03:54 --------- d-----w C:\Documents and Settings\rmunad\Application Data\U3
2007-12-03 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-30 17:59 --------- d-----w C:\Documents and Settings\rmunad\Application Data\.purple
2007-11-27 20:47 --------- d-----w C:\Program Files\FileZilla Server
2007-11-27 20:41 --------- d-----w C:\Documents and Settings\rmunad\Application Data\OpenOffice.org2
2007-11-27 15:16 --------- d-----w C:\Documents and Settings\rmunad\Application Data\Pamela
2007-11-27 02:34 --------- d-----w C:\Documents and Settings\rmunad\Application Data\Apple Computer
2007-11-27 02:30 --------- d-----w C:\Program Files\Apple Software Update
2007-11-27 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-22 04:44 --------- d-----w C:\Program Files\Google
2007-11-12 14:37 --------- d-----w C:\Documents and Settings\rmunad\Application Data\FileZilla
.
<pre>
----a-w		   954,368 2008-01-09 16:36:15  C:\Program Files\Athan\Athan .exe
----a-w		   344,064 2008-01-09 04:54:18  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   155,648 2008-01-09 19:44:56  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w			94,208 2008-01-09 04:54:44  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   185,632 2008-01-09 04:54:30  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			52,896 2008-01-09 19:44:54  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   460,784 2008-01-09 19:45:06  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   107,008 2008-01-09 19:44:52  C:\Program Files\j2 Messenger 4.2\J2GDllCmd .exe
----a-w		   132,760 2008-01-09 16:36:11  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   657,168 2008-01-09 19:45:00  C:\Program Files\JiWire\BOT Mapping\JiWireBOT .exe
----a-w			63,048 2008-01-09 19:44:49  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w		 1,694,208 2008-01-09 16:36:19  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-01-09 16:13:27  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   139,320 2008-01-09 16:36:15  C:\Program Files\Network Associates\Common Framework\UpdaterUI .exe
----a-w		 5,713,920 2008-01-09 16:36:26  C:\Program Files\Pamela\Pamela .exe
----a-w		   286,720 2008-01-09 19:48:26  C:\Program Files\QuickTime\QTTask	.exe
----a-w				 0 2008-01-09 21:48:27  C:\Program Files\QuickTime\QTTask   .exe
----a-w				 0 2008-01-09 21:14:36  C:\Program Files\QuickTime\QTTask  .exe
----a-w				 0 2008-01-09 21:14:34  C:\Program Files\QuickTime\QTTask .exe
----a-w		22,880,040 2008-01-09 16:13:30  C:\Program Files\Skype\Phone\Skype .exe
----a-w		   125,168 2008-01-09 04:54:28  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   866,584 2008-01-09 19:44:53  C:\Program Files\Windows Defender\MSASCui .exe
----a-w				 0 2008-01-09 21:48:08  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w				 0 2008-01-09 21:17:33  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   444,160 2008-01-09 19:44:52  C:\Program Files\Zone Labs\Integrity Client\iclient .exe
----a-w		   707,376 2008-01-09 04:54:34  C:\WINDOWS\vVX1000 .exe
----a-w			45,632 2008-01-09 04:54:14  C:\WINDOWS\system32\taskswitch .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-09 11:45 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-09 11:48 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-01-09 11:48 63048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-09 11:48 866584]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-09 11:48 52896]
"Zone Labs Client"="C:\Program Files\Zone Labs\Integrity Client\iclient.exe" [2008-01-09 11:48 444160]
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" [2008-01-09 11:48 107008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 17:17 443968]

C:\Documents and Settings\rmunad\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 11:39:42]
YzDock.exe.lnk - C:\Downloads\yzdock\YzDock.exe [2003-06-03 21:38:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
j2 4.2.lnk - C:\Program Files\j2 Messenger 4.2\J2GTray.exe [2007-08-31 14:24:57]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2006-06-26 14:59:21]
VPN Client.lnk - c:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-04-24 17:10:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-04 22:40:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 09:44 87352 C:\WINDOWS\system32\LMIinit.dll

R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R2 MSExchangeMGMT;Microsoft Exchange Management;"C:\Program Files\Exchsrvr\bin\exmgmt.exe" [2003-06-23 23:00]
R2 MyDesktopWindows;MyDesktopService;C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe [2007-10-19 10:32]
R2 QOSMyDesktop;QOS MyDesktop;C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe [2006-04-21 11:14]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 04:00]
R2 SVNService;SVNService;C:\Program Files\Subversion\bin\svnservice.exe [2006-07-07 08:18]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01]
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-10-13 17:04]
S2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" []
S3 ICAM3NT5;Intel® PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS [2001-07-18 13:52]
S3 MSSQL$DEV;MSSQL$DEV;C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [2005-05-03 23:04]
S3 npkycryp;npkycryp;C:\Program Files\WIZET\MapleStory\npkycryp.sys []
S3 SQLAgent$DEV;SQLAgent$DEV;C:\Program Files\Microsoft SQL Server\MSSQL$DEV\binn\sqlagent.exe [2005-05-03 20:42]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 TAEReaderSvc;TA Email Reader;c:\vs projects\travel authorization\development\current\emailreader\taereadersvc\bin\debug\taereadersvc.exe [2006-09-25 12:17]
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 12:22]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 06:01]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 02:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-10 18:41:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 10:45:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-10 10:53:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 18:53:10

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 January 2008 - 06:12 PM

Guess you didn't read this :o
http://forums.whatth...ING_t86364.html


You have a few infection which infects legitimate files, it can be a bit of a pain

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.mal...om/HJTsetup.exe

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here use the [Add Reply] button below.

Next:

1. Download RenV.exe by sUBs to your desktop
2. Double click on it to run it
It will search your system drive looking for any modified .exe file and will produce a log for you.
3. Please copy and paste this report to your reply

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 stargate

stargate

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 13 January 2008 - 07:55 PM

Opps sorry for not reading the forum rules. Anyway the following is the hijackthis scan log output.

Logfile of HijackThis v1.99.1
Scan saved at 17:50, on 2008-01-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Subversion\bin\svnservice.exe
C:\Program Files\Subversion\bin\svnserve.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\j2 Messenger 4.2\J2GTray.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Downloads\yzdock\YzDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\PamelaPCR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Cisco Systems\VPN Client\vpngui.exe
c:\Program Files\Cisco Systems\VPN Client\ipseclog.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqpm.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [j2 4.2] "C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Startup: YzDock.exe.lnk = C:\Downloads\yzdock\YzDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: j2 4.2.lnk = C:\Program Files\j2 Messenger 4.2\J2GTray.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.expedia.com
O15 - Trusted Zone: *.expediacorporate.com
O15 - Trusted Zone: http://*.myspl.com
O15 - Trusted Zone: *.spl-training17
O15 - Trusted Zone: http://*.spl-training17
O15 - Trusted Zone: http://sf-of-tst.splwg.com
O15 - Trusted Zone: *.expedia.com (HKLM)
O15 - Trusted Zone: *.expediacorporate.com (HKLM)
O15 - Trusted Zone: http://*.myspl.com (HKLM)
O15 - Trusted Zone: http://sf-of-tst.splwg.com (HKLM)
O15 - Trusted IP range: 192.168.32.3
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.li...?v=13,0,0731,01
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55E515F7-0FA2-4610-874E-028107E766A3} (eWebEditProLibCtl3.eWebEditPro) - https://myspltest.co...webeditpro3.cab
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - http://203.99.63.246.../WinWebPush.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://203.99.63.246:85/cab/msrdp.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://sf-of-prd.spl...tor/oajinit.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://D:\AUTORUN\Flash\swflash.cab
O16 - DPF: {DCEA263C-75E9-4029-F6AA-37F011CC4EF1} (IM2Webconference) - http://dialcom.com/s...llaboration.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spl.webex.co...bex/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = splwg.com
O17 - HKLM\Software\..\Telephony: DomainName = splwg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = splwg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = splwg.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50215_X86 (clr_optimization_v2.0.50215_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\mscorsvw.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\svnservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TA Email Reader (TAEReaderSvc) - SPL Worldgroup - c:\vs projects\travel authorization\development\current\emailreader\taereadersvc\bin\debug\taereadersvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

I wait for your response for further actions.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 January 2008 - 08:00 PM

Next:

1. Download RenV.exe by sUBs to your desktop
2. Double click on it to run it
It will search your system drive looking for any modified .exe file and will produce a log for you.
3. Please copy and paste this report to your reply

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 stargate

stargate

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 13 January 2008 - 08:00 PM

Here si the log from RenV

Ran on 2008-01-13 - 17:53:51.93

----a-w		   954,368 2008-01-09 16:36:15  C:\Program Files\Athan\Athan .exe
----a-w		   344,064 2008-01-09 04:54:18  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   155,648 2008-01-09 19:44:56  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w			94,208 2008-01-09 04:54:44  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   185,632 2008-01-09 04:54:30  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			52,896 2008-01-09 19:44:54  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   460,784 2008-01-09 19:45:06  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   107,008 2008-01-09 19:44:52  C:\Program Files\j2 Messenger 4.2\J2GDllCmd .exe
----a-w		   132,760 2008-01-09 16:36:11  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   657,168 2008-01-09 19:45:00  C:\Program Files\JiWire\BOT Mapping\JiWireBOT .exe
----a-w			63,048 2008-01-09 19:44:49  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w		 1,694,208 2008-01-09 16:36:19  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-01-09 16:13:27  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   139,320 2008-01-09 16:36:15  C:\Program Files\Network Associates\Common Framework\UpdaterUI .exe
----a-w		 5,713,920 2008-01-09 16:36:26  C:\Program Files\Pamela\Pamela .exe
----a-w		   286,720 2008-01-09 19:48:26  C:\Program Files\QuickTime\QTTask	.exe
----a-w				 0 2008-01-09 21:48:27  C:\Program Files\QuickTime\QTTask   .exe
----a-w				 0 2008-01-09 21:14:36  C:\Program Files\QuickTime\QTTask  .exe
----a-w				 0 2008-01-09 21:14:34  C:\Program Files\QuickTime\QTTask .exe
----a-w		22,880,040 2008-01-09 16:13:30  C:\Program Files\Skype\Phone\Skype .exe
----a-w		   125,168 2008-01-09 04:54:28  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   866,584 2008-01-09 19:44:53  C:\Program Files\Windows Defender\MSASCui .exe
----a-w				 0 2008-01-09 21:48:08  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w				 0 2008-01-09 21:17:33  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   444,160 2008-01-09 19:44:52  C:\Program Files\Zone Labs\Integrity Client\iclient .exe
----a-w		   707,376 2008-01-09 04:54:34  C:\WINDOWS\vVX1000 .exe
----a-w			45,632 2008-01-09 04:54:14  C:\WINDOWS\system32\taskswitch .exe

 Entries:			   27  (27)
 Directories:			0  Files:			27
 Bytes:		 41,785,064  Blocks:	   81,619


Thanks a lot for your help.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 16 January 2008 - 04:43 PM

Combofix has been updated. We need to get the latest.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    [list]
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 January 2008 - 09:59 AM

Do you still need help with this?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 January 2008 - 03:47 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users