Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Unknown Adware infection


  • Please log in to reply
15 replies to this topic

#1 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 22 April 2008 - 05:04 PM

Hi all, never posted here before, but I read the new users post so I hope I do this right....

Quick Description: I had a rootkit on my computer, which I have removed, but not before it managed to install a bunch of adware/malware. I removed a couple of them, using Adaware/S&D, but I'm still getting the occasional unprovoked popup ad in my browser.

I cannot for the life of me figure out what I'm infected with, please help! Here is my log....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:39 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Hacim\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Hacim\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [54757d32] rundll32.exe "C:\WINDOWS\system32\vqopyqav.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170957496421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7767 bytes


Thanks in advance for any info

    Advertisements

Register to Remove


#2 FencerGirl

FencerGirl

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 24 April 2008 - 09:03 AM

Hello!
I go by FencerGirl. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Finally, please reply to this thread. Do not start a new topic.

It may take me a while to reply to you as all of my fixes are being checked by experts to ensure that you are getting a good fix. And remember, like you I have a real life, so I may not be at my computer when you are!

FencerGirl

#3 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 24 April 2008 - 12:05 PM

Hi. Sorry, since then I've figured it out. It was a virtumonde.dll infection that I removed with ComboFix.exe. Thanks for the response :-D

#4 FencerGirl

FencerGirl

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 24 April 2008 - 01:25 PM

Hi mykasoda,
ComboFix is a very powerful tool and it can certainly clean up this type of infection, however it's not foolproof. If you'd post a new HijackThis log, I'd be happy to look it over to ensure that you are clean.

I'd also like to see your ComboFix log if you still have it. It can be found at C:\ComboFix.txt

You'll at least want to update your version of Java to help make sure you don't get reinfected.
  • Go to http://java.sun.com/...loads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 6
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

If you'd like me to look it over, please post a new HijackThis log and your ComboFix log (if you have it).
Thanks,
FencerGirl

#5 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 24 April 2008 - 02:26 PM

Sure, would appreciate a look over :-D

Here is my combofix log....

ComboFix 08-04-22.5 - Hacim 2008-04-23 15:02:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.482 [GMT -7:00]
Running from: C:\Documents and Settings\Hacim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ddcYsRJy.dll
C:\WINDOWS\system32\eOpXIkkj.ini
C:\WINDOWS\system32\eOpXIkkj.ini2
C:\WINDOWS\system32\jkkKbywv.dll
C:\WINDOWS\system32\kfwmbdmk.ini
C:\WINDOWS\system32\kmdbmwfk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RYaIRtwa.ini
C:\WINDOWS\system32\RYaIRtwa.ini2
C:\WINDOWS\system32\vwybKkkj.ini
C:\WINDOWS\system32\vwybKkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 13:10 . 2008-04-23 14:02 <DIR> d-------- C:\VundoFix Backups
2008-04-23 12:16 . 2006-10-20 08:37 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-23 12:16 . 2008-04-23 12:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 12:16 . 2008-04-23 15:01 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 11:03 . 2008-04-23 11:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 11:03 . 2008-04-23 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 09:33 . 2008-04-23 10:01 1,540,677 --ahs---- C:\WINDOWS\system32\ctjvectu.ini
2008-04-22 15:51 . 2008-04-22 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 09:45 . 2008-04-22 09:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 09:45 . 2008-04-23 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 09:31 . 2008-04-23 09:33 1,540,849 --ahs---- C:\WINDOWS\system32\vaqypoqv.ini
2008-04-18 10:07 . 2008-04-18 10:08 <DIR> d-------- C:\Program Files\Aspell
2008-04-17 12:00 . 2008-04-17 12:00 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-16 14:48 . 2008-04-16 14:50 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\SyncMyCal
2008-04-10 17:27 . 2008-04-10 17:27 <DIR> d-------- C:\WINDOWS\Cache
2008-04-10 17:27 . 2008-04-17 15:43 <DIR> d-------- C:\Program Files\Coupons
2008-04-10 16:26 . 2008-04-10 16:26 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\gtk-2.0
2008-04-08 12:59 . 2008-04-23 15:06 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\.purple
2008-04-08 12:58 . 2008-04-18 10:08 <DIR> d-------- C:\Program Files\Pidgin
2008-04-08 12:58 . 2008-04-08 12:58 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-04-07 17:10 . 2008-04-07 17:13 123,546 --a------ C:\50831319.jpg
2008-04-07 11:02 . 2008-04-23 14:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 11:02 . 2008-04-07 11:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Program Files\iTunes
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Program Files\iPod
2008-04-04 14:52 . 2008-04-04 14:52 <DIR> d-------- C:\Program Files\Handbrake
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 10:20 . 2008-03-26 10:20 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-26 10:20 . 2008-03-26 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-25 12:36 . 2008-03-25 12:44 21,897 --a------ C:\Documents and Settings\Hacim\Application Data\Comma Separated Values (DOS).ADR
2008-03-25 12:27 . 2008-03-25 12:38 21,901 --a------ C:\Documents and Settings\Hacim\Application Data\Comma Separated Values (Windows).ADR
2008-03-25 12:12 . 2008-03-25 12:12 <DIR> d-------- C:\Program Files\FriendBot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 16:32 --------- d-----w C:\Program Files\Google
2008-04-17 22:42 --------- d-----w C:\Program Files\A-one iPod Video Convertor
2008-04-17 22:29 --------- d-----w C:\Program Files\Zanag
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\Hacim\Application Data\AVG7
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-17 22:12 --------- d-----w C:\Documents and Settings\Hacim\Application Data\OpenOffice.org2
2008-04-17 22:11 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Hamachi
2008-04-16 20:09 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-04-07 17:58 --------- d-----w C:\Program Files\QuickTime
2008-04-02 19:32 --------- d-----w C:\Program Files\DC++
2008-03-25 19:11 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-25 19:09 --------- d-----w C:\Program Files\Viewpoint
2008-03-25 19:09 --------- d-----w C:\Program Files\Synergy
2008-03-25 19:09 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Viewpoint
2008-03-25 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-25 19:08 --------- d-----w C:\Program Files\MySpace
2008-03-21 00:03 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Aid4Mail
2008-03-13 18:37 --------- d-----w C:\Program Files\Java
2008-03-11 21:32 --------- d-----w C:\Program Files\RealVNC
2006-12-18 17:38 88 --sh--r C:\WINDOWS\system32\D113B2E5D5.sys
2006-12-18 17:38 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8BD3B364-DC79-44B5-A8B5-2D55BD0FECC7}]
C:\WINDOWS\system32\awtRIaYR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9EC053B-E9FA-4956-B55C-202432406AB1}]
C:\WINDOWS\system32\jkkIXpOe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Pidgin"="C:\Program Files\Pidgin\pidgin.exe" [2008-03-31 12:37 44658]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-23 17:12 7630848]
"nwiz"="nwiz.exe" [2006-08-23 17:12 1617920 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-23 17:12 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 01:12 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 08:00 282624 C:\WINDOWS\stsystra.exe]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-10 11:05 185896]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 19:30 995328]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 21:26:34 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-02-22 11:45:34 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\discover.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\AuditorServer.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\bradminv3.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe [2007-09-03 20:14]
S3 radmrdd;radmrdd;C:\WINDOWS\system32\DRIVERS\radmrdd.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 17:54:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-10-25 22:29:18 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 15:08:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-23 15:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 22:14:02

Pre-Run: 76,262,014,976 bytes free
Post-Run: 76,187,951,104 bytes free

182 --- E O F --- 2008-04-11 02:10:17

#6 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 24 April 2008 - 02:27 PM

And here is my HJT log.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:22 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\alienwhere.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8BD3B364-DC79-44B5-A8B5-2D55BD0FECC7} - C:\WINDOWS\system32\awtRIaYR.dll (file missing)
O2 - BHO: (no name) - {D9EC053B-E9FA-4956-B55C-202432406AB1} - C:\WINDOWS\system32\jkkIXpOe.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170957496421
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7951 bytes

#7 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 24 April 2008 - 02:29 PM

hmm....actually, now that I look at it.... O2 - BHO: (no name) - {8BD3B364-DC79-44B5-A8B5-2D55BD0FECC7} - C:\WINDOWS\system32\awtRIaYR.dll (file missing) O2 - BHO: (no name) - {D9EC053B-E9FA-4956-B55C-202432406AB1} - C:\WINDOWS\system32\jkkIXpOe.dll (file missing) is troubling. Looking forward to your advice.

#8 FencerGirl

FencerGirl

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 25 April 2008 - 07:31 AM

Hi mykasoda,

It looks like ComboFix did a good job, but there's still some things lurking around.

Step 1: Disable Spy-bot's Tea-timer.
Some anti-malware programs can interfere with the removal of malware.
For now, please disable Spy-Bot's TeaTimer.
1. Run Spybot-S&D
2. Go to the Mode menu, and make sure "Advanced Mode" is selected
3. On the left hand side, choose Tools -> Resident
4. Uncheck "Resident TeaTimer" and OK any prompts
5. Restart your computer.
Don't forget to re-enable it, when your computer is clean.

Step 2: Use ComboFix to Take Out the Trash.
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ctjvectu.ini
C:\WINDOWS\system32\vaqypoqv.ini
C:\WINDOWS\system32\D113B2E5D5.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step 3: Mop up with HijackThis.
Scan with HijackThis and check the following if present.

O2 - BHO: (no name) - {8BD3B364-DC79-44B5-A8B5-2D55BD0FECC7} - C:\WINDOWS\system32\awtRIaYR.dll (file missing)
O2 - BHO: (no name) - {D9EC053B-E9FA-4956-B55C-202432406AB1} - C:\WINDOWS\system32\jkkIXpOe.dll (file missing)

CLOSE ALL OTHER WINDOWS and select "Fixed Checked".

Step 4: Remove ViewPoint.
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
This is the item to fix in HijackThis.

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Step 5: Update Java.
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/...loads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 6
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

After you've completed the above, post back with your new ComboFix log and a new HijackThis log.
Thanks,
FencerGirl

#9 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 25 April 2008 - 11:35 AM

Hey. Thanks again. I did exactly as you instructed except that I cannot find Viewpoint Manager in add remove, nor in hijack this. Weird.

Here are my new logs....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:33 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\alienwhere.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170957496421
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7535 bytes

#10 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 25 April 2008 - 11:35 AM

ComboFix 08-04-22.5 - Hacim 2008-04-25 10:28:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.618 [GMT -7:00]
Running from: C:\Documents and Settings\Hacim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hacim\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ctjvectu.ini
C:\WINDOWS\system32\D113B2E5D5.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\vaqypoqv.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctjvectu.ini
C:\WINDOWS\system32\D113B2E5D5.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\vaqypoqv.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 16:19 . 2008-04-24 16:19 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-23 13:10 . 2008-04-23 14:02 <DIR> d-------- C:\VundoFix Backups
2008-04-23 12:16 . 2006-10-20 08:37 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-23 12:16 . 2008-04-23 12:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 12:16 . 2008-04-25 08:07 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 11:03 . 2008-04-23 15:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 11:03 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 15:51 . 2008-04-22 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 09:45 . 2008-04-22 09:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 09:45 . 2008-04-23 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 10:07 . 2008-04-18 10:08 <DIR> d-------- C:\Program Files\Aspell
2008-04-17 12:00 . 2008-04-17 12:00 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-16 14:48 . 2008-04-16 14:50 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\SyncMyCal
2008-04-10 17:27 . 2008-04-10 17:27 <DIR> d-------- C:\WINDOWS\Cache
2008-04-10 17:27 . 2008-04-17 15:43 <DIR> d-------- C:\Program Files\Coupons
2008-04-10 16:26 . 2008-04-10 16:26 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\gtk-2.0
2008-04-08 12:59 . 2008-04-25 10:29 <DIR> d-------- C:\Documents and Settings\Hacim\Application Data\.purple
2008-04-08 12:58 . 2008-04-18 10:08 <DIR> d-------- C:\Program Files\Pidgin
2008-04-08 12:58 . 2008-04-08 12:58 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-04-07 17:10 . 2008-04-07 17:13 123,546 --a------ C:\50831319.jpg
2008-04-07 11:02 . 2008-04-24 09:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 11:02 . 2008-04-07 11:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Program Files\iTunes
2008-04-07 11:01 . 2008-04-07 11:01 <DIR> d-------- C:\Program Files\iPod
2008-04-04 14:52 . 2008-04-04 14:52 <DIR> d-------- C:\Program Files\Handbrake
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 10:20 . 2008-03-26 10:20 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-26 10:20 . 2008-03-26 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-25 12:36 . 2008-03-25 12:44 21,897 --a------ C:\Documents and Settings\Hacim\Application Data\Comma Separated Values (DOS).ADR
2008-03-25 12:27 . 2008-03-25 12:38 21,901 --a------ C:\Documents and Settings\Hacim\Application Data\Comma Separated Values (Windows).ADR
2008-03-25 12:12 . 2008-03-25 12:12 <DIR> d-------- C:\Program Files\FriendBot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 17:25 --------- d-----w C:\Program Files\Java
2008-04-24 16:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\OpenOffice.org2
2008-04-18 16:32 --------- d-----w C:\Program Files\Google
2008-04-17 22:42 --------- d-----w C:\Program Files\A-one iPod Video Convertor
2008-04-17 22:29 --------- d-----w C:\Program Files\Zanag
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\Hacim\Application Data\AVG7
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-04-17 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-17 22:12 --------- d-----w C:\Documents and Settings\Hacim\Application Data\OpenOffice.org2
2008-04-17 22:11 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Hamachi
2008-04-07 17:58 --------- d-----w C:\Program Files\QuickTime
2008-04-02 19:32 --------- d-----w C:\Program Files\DC++
2008-03-25 19:11 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-25 19:09 --------- d-----w C:\Program Files\Viewpoint
2008-03-25 19:09 --------- d-----w C:\Program Files\Synergy
2008-03-25 19:09 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Viewpoint
2008-03-25 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-25 19:08 --------- d-----w C:\Program Files\MySpace
2008-03-21 00:03 --------- d-----w C:\Documents and Settings\Hacim\Application Data\Aid4Mail
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-11 21:32 --------- d-----w C:\Program Files\RealVNC
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_15.13.54.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 22:07:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 02:27:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-10-20 15:41:13 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-04-25 17:24:52 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-04-24 02:27:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Pidgin"="C:\Program Files\Pidgin\pidgin.exe" [2008-03-31 12:37 44658]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-23 17:12 7630848]
"nwiz"="nwiz.exe" [2006-08-23 17:12 1617920 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-23 17:12 86016]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 01:12 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 08:00 282624 C:\WINDOWS\stsystra.exe]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-10 11:05 185896]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 19:30 995328]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 21:26:34 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-02-22 11:45:34 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\discover.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\AuditorServer.exe"=
"C:\\Program Files\\Brother\\BRAdmin Professional 3\\bradminv3.exe"=
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Pidgin\\pidgin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe [2007-09-03 20:14]
S3 radmrdd;radmrdd;C:\WINDOWS\system32\DRIVERS\radmrdd.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 17:54:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-10-25 22:29:18 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 10:29:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 10:30:34
ComboFix-quarantined-files.txt 2008-04-25 17:30:23
ComboFix2.txt 2008-04-23 22:14:06

Pre-Run: 74,975,199,232 bytes free
Post-Run: 75,389,952,000 bytes free

182 --- E O F --- 2008-04-11 02:10:17

    Advertisements

Register to Remove


#11 FencerGirl

FencerGirl

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 28 April 2008 - 06:00 AM

Hi mykasoda,
Sorry for the delay. It was a very busy weekend.
I only noticed Viewpoint in your ComboFix log, so it's possible that it got uninstalled previously.

You're looking much cleaner.

Step 1: Clean out the remains of Viewpoint
Browse to the following folders and files and delete them if present.

C:\Documents and Settings\Hacim\Application Data\Viewpoint <=This whole folder!
C:\Documents and Settings\All Users\Application Data\Viewpoint <=This whole folder!

Step 2: Make sure you really are clean
Please do an online scan with KasperskyWebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise
    Standard)

    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been
    infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

After you've completed the above, please post back with the results from Kaspersky and (hopefully) one last HijackThis log.
Thanks,
FencerGirl

#12 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 28 April 2008 - 07:27 PM

You're right yet again ^ ^ theres some nasties hiding in there according to KOS. Here is the log: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, April 28, 2008 6:25:39 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 28/04/2008 Kaspersky Anti-Virus database records: 729268 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 147073 Number of viruses found: 5 Number of infected objects: 9 Number of suspicious objects: 0 Duration of the scan process: 02:10:38 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Hacim\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\cert8.db Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\history.dat Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\key3.db Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\parent.lock Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\search.sqlite Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Hacim\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-67bc2aee/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\Hacim\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-67bc2aee/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\Hacim\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-67bc2aee/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped C:\Documents and Settings\Hacim\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-67bc2aee ZIP: infected - 3 skipped C:\Documents and Settings\Hacim\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Hacim\Desktop\Website from IMG\flash_assets\videoplayer.fla Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Macromedia\Macromedia FlashPaper\OfficeTemplates\FlashPaperWordUITemplate.2302.dot Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Application Data\Mozilla\Firefox\Profiles\3mtauyx7.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~DFB029.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~DFB038.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~DFED46.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~DFFD7C.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~DFFFB1.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temp\~WRF0000.tmp Object is locked skipped C:\Documents and Settings\Hacim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Hacim\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Hacim\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ddcYsRJy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pjw skipped C:\QooBox\Quarantine\C\WINDOWS\system32\kmdbmwfk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qpx skipped C:\QooBox\Quarantine\catchme2008-04-23_150603.85.zip/jkkKbywv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped C:\QooBox\Quarantine\catchme2008-04-23_150603.85.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat Object is locked skipped C:\WINDOWS\Temp\_avast4_\unp94364308.tmp Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. HJT log to follow....

#13 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 28 April 2008 - 07:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:23 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MACROM~1\FLASH8~2\Flash.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FileZilla\FileZilla.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\alienwhere.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1061020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170957496421
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8278 bytes

#14 FencerGirl

FencerGirl

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 29 April 2008 - 07:27 AM

Hi mykasoda,

Thanks for the logs. Some of the items Kaspersky found were in quarantine thanks to ComboFix.

Kaspersky shows that you have WinVNC installed. Did you intentionally install this program? It allows for remote access to your computer. An excellent write up on it can be found here.
If you did not intentionally install it, you should consider the following.
This program gives intruders complete control of your computer, logging key strokes, stealing information, etc. :(
You are strongly advised to do the following immediately!:
  • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:
Should you have any questions, please feel free to ask

If you intentionally installed WinVNC or you don't use this computer for anything sensative, we can certainly finish cleaning it. If you'd like to clean it, please complete the following steps.

Step 1: Delete an infected file
Browse to the following files and delete it.
C:\Documents and Settings\Hacim\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-67bc2aee

Step 2: Clean with HijackThis
Scan with HijackThis and check the following if present.

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

CLOSE ALL OTHER WINDOWS and select "Fixed Checked".

Step 3: Get rid of WinVNC (if you didn't install it)
If you didn't intentionally install WinVNC should you delete it.
You can try to remove it via Add/Remove Programs.
If that doesn't work browse to the following folder and delete it.
C:\Program Files\RealVNC <=This whole folder!

Please let me know what you choose and if you decided to clean, please post back with a new HijackThis log.
Thanks,
FencerGirl

#15 mykasoda

mykasoda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 29 April 2008 - 11:36 AM

Hey. I purposely installed it. I only installed the viewer, not the server part. Doing those changes, will post HJT log in a little bit. Ty again so much for your help.

Edited by mykasoda, 29 April 2008 - 11:37 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users