|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
 Posted: Fri May 09, 2008 8:41 am Post subject: Mal_vundo-4 |
|
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:32 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\GJC3E1.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Gnuf Casino - {8FE9B27A-BDCD-4d27-A430-4DC0B58D01B0} - C:\Program Files\Gnuf\Casino\casinogame.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Gnuf Poker - {A99C8F70-4D5B-482c-8854-05BC0BB8B182} - C:\Program Files\Gnuf\Poker\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B104D77-08CA-452A-B4EE-7C85DFC9511D}: NameServer = 192.168.0.1
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5417 bytes
One day while surfing the internet, my Firefox browser no longer would load certain sites. After installing Trend Micro Office Scan, I found I was infected with Man_vundo-4. I have tried many, many different solution to no avail.
|
|
| Back to top |
|
 |
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17293
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Fri May 09, 2008 12:50 pm Post subject: |
|
|
"Welcome to Castlecops"
Hi There. I'm Deacon10 or Larry if you prefer and will be working with you to resolve your problems. I am reviewing your log which requires an amount of research, so please be patient.
Just a few notes I tell everybody I work with:
- Please reply to this thread. Do not start a new topic.
- If you have any questions or don't understand something please stop and ask before you proceed.
- Please set aside enough time to complete all the steps in each post and follow these instructions in the order stated.
- Please respond within 2 days. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to insure that your topic remains open and I don't close it to start a new post.
- Please continue here with me until I tell you your system is free from malware.
Just because a symptom disappears does not mean your system is clean.
- The following fix is specifically designed for this users post and this machine only!
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Fri May 09, 2008 4:42 pm Post subject: |
|
|
Hello mkicon,
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
Please follow all the instructions completely and in the order stated.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
First, re-enable your antivirus and antispyware programs.
Next, include the following reports for further review, and so we may continue cleansing the system.
C:\ComboFix.txt
New HijackThis log.
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
| Posted: Sat May 10, 2008 12:44 am Post subject: |
|
|
ComboFix 08-05-08.1 - Name 2008-05-09 20:29:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1583 [GMT -4:00]
Running from: C:\Documents and Settings\Name\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Name\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bsreiisv.ini
C:\WINDOWS\system32\byXPFUki.dll
C:\WINDOWS\system32\dflucplj.ini
C:\WINDOWS\system32\fpujifnh.ini
C:\WINDOWS\system32\hgGawUlK.dll
C:\WINDOWS\system32\igwabkun.ini
C:\WINDOWS\system32\ikqvfrlh.dll
C:\WINDOWS\system32\ikUFPXyb.ini
C:\WINDOWS\system32\ikUFPXyb.ini2
C:\WINDOWS\system32\mlJBTmmj.dll
C:\WINDOWS\system32\oxcfbpqm.dll
C:\WINDOWS\system32\phwnupoy.ini
C:\WINDOWS\system32\riermnat.ini
C:\WINDOWS\system32\ssqQgGAr.dll
C:\WINDOWS\system32\tAHPYJjl.ini
C:\WINDOWS\system32\tAHPYJjl.ini2
C:\WINDOWS\system32\vtUnoonK.dll
C:\WINDOWS\system32\xxyawtrs.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.
2008-05-09 14:59 . 2008-05-09 14:59 2,112 --a------ C:\WINDOWS\system32\ifgytihd.exe
2008-05-08 14:55 . 2008-05-08 14:55 2,112 --a------ C:\WINDOWS\system32\jbaxgjbk.exe
2008-05-03 00:04 . 2008-05-03 00:04 <DIR> d-------- C:\VundoFix Backups
2008-04-29 13:44 . 2008-04-29 13:44 <DIR> d-------- C:\quarantine
2008-04-29 13:36 . 2008-05-09 19:55 12,759 --a------ C:\WINDOWS\cfgall.ini
2008-04-29 05:05 . 2008-04-29 05:05 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-28 20:17 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-28 20:16 . 2008-05-09 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 20:16 . 2008-04-28 20:16 21 --a------ C:\tmuninst.ini
2008-04-28 20:15 . 2008-04-28 20:15 <DIR> d-------- C:\Documents and Settings\Name\Application Data\InstallShield
2008-04-28 20:14 . 2008-04-28 20:17 <DIR> d-------- C:\Temp
2008-04-26 05:54 . 2008-04-26 05:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-26 05:54 . 2008-04-28 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 05:06 . 2008-05-09 15:49 109,718 --a------ C:\WINDOWS\BMe301d553.xml
2008-04-12 17:57 . 2008-04-12 17:57 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-11 20:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-11 20:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-11 20:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-11 03:38 . 2008-04-11 03:38 268 --ah----- C:\sqmdata00.sqm
2008-04-11 03:38 . 2008-04-11 03:38 244 --ah----- C:\sqmnoopt00.sqm
2008-04-11 01:10 . 2008-04-11 14:55 <DIR> d-------- C:\Documents and Settings\Name\Contacts
2008-04-11 01:09 . 2008-04-11 01:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-11 01:06 . 2008-04-11 01:09 <DIR> d-------- C:\Program Files\Windows Live
2008-04-11 01:06 . 2008-04-11 01:09 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-11 01:05 . 2008-04-11 01:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 16:50 --------- d-----w C:\Documents and Settings\Name\Application Data\Microgaming
2008-04-29 00:16 --------- d-----w C:\Program Files\Symantec
2008-04-29 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-29 00:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 04:28 --------- d-----w C:\Program Files\Steam
2008-04-27 07:17 --------- d-----w C:\Program Files\mIRC
2008-04-19 22:49 --------- d-----w C:\Program Files\Burning Crusade Closed Beta
2008-04-11 08:17 --------- d-----w C:\Program Files\Java
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\Name\Application Data\Yahoo!
2008-04-05 15:55 --------- d-----w C:\Program Files\Yahoo!
2008-04-01 04:03 --------- d-----w C:\Program Files\World of Warcraft
2008-03-27 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 01:09 --------- d-----w C:\Program Files\Warcraft III
2008-03-10 05:27 --------- d-----w C:\Program Files\PoRTaL
2008-03-05 06:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-05 06:04 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\MOffice.exe" [2007-11-01 01:53 958464]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 18:31 710000]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 08:00 158208]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe301d553]
C:\WINDOWS\system32\xxegminr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 10:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e032e6cf]
C:\WINDOWS\system32\vsiiersb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-15 21:15 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8736:TCP"= 8736:TCP:Trend Micro OfficeScan Listener
R0 aac;Adaptec RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2005-04-22 15:37]
R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 15:52]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-11-01 01:53]
S3 AC97AMD;Service for AC'97 Driver (WDM);C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 13:20]
S3 CtUsbMs;Creative HID USB Filter Driver;C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys [2005-10-26 18:30]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76fabefe-5cb2-11d9-b6e9-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 20:34:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\TEMP\FHE42B.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 20:41:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 00:41:49
Pre-Run: 23,593,074,688 bytes free
Post-Run: 28,737,142,784 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
180 --- E O F --- 2008-04-11 07:44:14
|
|
| Back to top |
|
|
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
| Posted: Sat May 10, 2008 12:45 am Post subject: |
|
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:55 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\TEMP\FHE42B.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Gnuf Casino - {8FE9B27A-BDCD-4d27-A430-4DC0B58D01B0} - C:\Program Files\Gnuf\Casino\casinogame.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Gnuf Poker - {A99C8F70-4D5B-482c-8854-05BC0BB8B182} - C:\Program Files\Gnuf\Poker\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B104D77-08CA-452A-B4EE-7C85DFC9511D}: NameServer = 192.168.0.1
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5819 bytes
I made a post for each log, if this is undesirable I'll consolidate all future posts.
Also, Thank you for your time and effort Larry.
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Mon May 12, 2008 4:17 am Post subject: |
|
|
Hi mkicon,
It's fine to post more than one log in one post, and you are welcome.
Open Notepad (not WordPad). Highlight the text in the Code box below and copy and paste it to NotePad. Be sure to copy the entire contents of the code box and nothing more. Save the file to your desktop as CFScript.txt. To do this, in Notepad, click File–>Save As. In the pop up box, be sure that “Text Document (*.txt)” is selected in the “Save as type:” option.
| Code: | File::
C:\WINDOWS\system32\ifgytihd.exe
C:\WINDOWS\system32\jbaxgjbk.exe
C:\WINDOWS\TEMP\FHE42B.EXE |
Save this as CFScript.txt
Drag CFScript.txt onto ComboFix.exe
See how this is done: Image
This will cause ComboFix to produce another log
Note: Do not mouse-click combofix's window while it's running. That may cause it to stall.
Post back with:
New ComboFix.txt log
New HijackThis log
A description of how your system is running
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
| Posted: Wed May 14, 2008 9:40 pm Post subject: |
|
|
I would just like to give you a head's up that I've been busy the past couple days, and I'll likely get to this scan later on this evening(likely past midnight EST).
I'm sorry if this inconveniences you in anyway.
|
|
| Back to top |
|
|
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
| Posted: Thu May 15, 2008 7:18 am Post subject: |
|
|
ComboFix 08-05-08.1 - Name 2008-05-15 2:50:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1618 [GMT -4:00]
Running from: C:\Documents and Settings\Name\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Name\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\ifgytihd.exe
C:\WINDOWS\system32\jbaxgjbk.exe
C:\WINDOWS\TEMP\FHE42B.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ifgytihd.exe
C:\WINDOWS\system32\jbaxgjbk.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.
2008-05-12 15:07 . 2008-05-12 15:07 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-12 15:06 . 2008-05-12 15:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-03 00:04 . 2008-05-03 00:04 <DIR> d-------- C:\VundoFix Backups
2008-04-29 13:44 . 2008-04-29 13:44 <DIR> d-------- C:\quarantine
2008-04-29 13:36 . 2008-05-15 02:20 12,759 --a------ C:\WINDOWS\cfgall.ini
2008-04-29 05:05 . 2008-04-29 05:05 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-28 20:17 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-28 20:16 . 2008-05-09 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 20:16 . 2008-04-28 20:16 21 --a------ C:\tmuninst.ini
2008-04-28 20:15 . 2008-04-28 20:15 <DIR> d-------- C:\Documents and Settings\Name\Application Data\InstallShield
2008-04-28 20:14 . 2008-04-28 20:17 <DIR> d-------- C:\Temp
2008-04-26 05:54 . 2008-04-26 05:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-26 05:54 . 2008-04-28 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 05:06 . 2008-05-09 15:49 109,718 --a------ C:\WINDOWS\BMe301d553.xml
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 15:18 --------- d-----w C:\Documents and Settings\Name\Application Data\Microgaming
2008-05-13 21:46 --------- d-----w C:\Program Files\Burning Crusade Closed Beta
2008-04-29 00:16 --------- d-----w C:\Program Files\Symantec
2008-04-29 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-29 00:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 04:28 --------- d-----w C:\Program Files\Steam
2008-04-27 07:17 --------- d-----w C:\Program Files\mIRC
2008-04-12 21:57 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-11 08:17 --------- d-----w C:\Program Files\Java
2008-04-11 05:09 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-11 05:09 --------- d-----w C:\Program Files\Windows Live
2008-04-11 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\Name\Application Data\Yahoo!
2008-04-05 15:55 --------- d-----w C:\Program Files\Yahoo!
2008-04-01 04:03 --------- d-----w C:\Program Files\World of Warcraft
2008-03-27 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\MGS
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 06:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-05 06:04 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-09_20.41.38.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-10 00:33:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 04:58:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 19:08:01 25,214 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\ARPPRODUCTICON.exe
+ 2008-05-12 19:08:01 25,214 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\CPL_DTSC.exe
+ 2008-05-12 19:08:01 25,214 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\CPL_SC.exe
+ 2008-05-12 19:08:01 25,214 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\HCG_SC.exe
+ 2008-05-12 19:08:01 4,846 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\MouseUG.exe
+ 2008-05-12 19:08:01 29,926 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\NewShortcut1_6463554370E7436D8D6D4A721595029E.exe
+ 2008-05-12 19:08:01 29,926 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\NewShortcut2_6463554370E7436D8D6D4A721595029E.exe
+ 2008-05-12 19:08:01 65,536 ----a-r C:\WINDOWS\Installer\{8C5FAD77-F678-4758-A296-C12F08D179E0}\NewShortcut3_4748AC220AD3439FA5EECE4BB6C12AAC.exe
- 2006-11-08 04:28:12 22,784 ----a-w C:\WINDOWS\system32\drivers\point32.sys
+ 2007-08-21 08:12:59 21,760 ----a-w C:\WINDOWS\system32\drivers\point32.sys
+ 2007-08-31 18:58:18 18,856 -c--a-w C:\WINDOWS\system32\DRVSTORE\nuidfltr_E8F8C714821A786671DE95508EA821EFC993B9E1\NuidFltr.sys
+ 2007-08-31 19:01:27 1,421,736 -c--a-w C:\WINDOWS\system32\DRVSTORE\nuidfltr_E8F8C714821A786671DE95508EA821EFC993B9E1\wdfcoinstaller01005.dll
+ 2007-08-21 08:13:03 24,064 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnt32pk_B14517A010FFCFA2D7F73FBF37EC5E0C83C37769\point32k.sys
+ 2007-08-21 08:12:59 21,760 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnt32pw_3628C8B45C5ED7121207F0966284A33181948AB6\point32.sys
+ 2007-08-21 08:13:03 24,064 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnt32uk_D8ABC581DD7826E63C34865005655841F42B07B3\point32k.sys
+ 2007-08-21 08:12:59 21,760 -c--a-w C:\WINDOWS\system32\DRVSTORE\pnt32uw_760685142BE30506C264465948FA6BF3F83F6BA0\point32.sys
- 2008-04-09 16:30:06 90,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-12 21:53:21 91,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-05-15 19:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2006-10-05 08:31:10 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
+ 2004-08-04 03:58:34 23,040 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\mouclass.sys
+ 2001-08-17 18:48:00 12,160 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\mouhid.sys
+ 2007-08-21 08:12:59 21,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\point32.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 18:31 710000]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 15:01 1037736]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMe301d553]
C:\WINDOWS\system32\xxegminr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 10:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e032e6cf]
C:\WINDOWS\system32\vsiiersb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-15 21:15 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8736:TCP"= 8736:TCP:Trend Micro OfficeScan Listener
R0 aac;Adaptec RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2005-04-22 15:37]
R0 amdagpxp;AMD NB AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amdagpxp.sys [2001-12-11 15:52]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 AC97AMD;Service for AC'97 Driver (WDM);C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 13:20]
S3 CtUsbMs;Creative HID USB Filter Driver;C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys [2005-10-26 18:30]
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-11-01 01:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76fabefe-5cb2-11d9-b6e9-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 02:54:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-05-15 2:56:26
ComboFix-quarantined-files.txt 2008-05-15 06:55:43
ComboFix2.txt 2008-05-10 00:41:56
Pre-Run: 27,734,474,752 bytes free
Post-Run: 27,777,613,824 bytes free
169 --- E O F --- 2008-04-11 07:44:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:46 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Gnuf Casino - {8FE9B27A-BDCD-4d27-A430-4DC0B58D01B0} - C:\Program Files\Gnuf\Casino\casinogame.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Gnuf Poker - {A99C8F70-4D5B-482c-8854-05BC0BB8B182} - C:\Program Files\Gnuf\Poker\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B104D77-08CA-452A-B4EE-7C85DFC9511D}: NameServer = 192.168.0.1
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5822 bytes
Since the initial running of Combo fix the other day, I haven't had any of the reoccurring pop-ups or Mal_vundo pop-ups from Trend Officescan.
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Fri May 16, 2008 11:19 am Post subject: |
|
|
Hello mkicon,
There are also some files that I cannot identify, which may or may not be malware. We need to explore those files a little more.
Please go to VirusTotal: http://www.virustotal.com
or Jotti’s malware scan: http://virusscan.jotti.org
Upload the file or files listed below one at a time and post back with the results of each scan. There might be a short wait.
C:\WINDOWS\system32\vsiiersb.dll
C:\WINDOWS\cfgall.ini
C:\WINDOWS\DCEBoot.exe
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
mkicon
Cadet
Joined: May 09, 2008
Posts: 6
Location: Canada
|
| Posted: Sat May 17, 2008 12:10 am Post subject: |
|
|
C:\WINDOWS\system32\vsiiersb.dll Didn't exist when I went to upload it.
File cfgall.ini received on 05.17.2008 01:48:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
File DCEBoot.exe received on 05.17.2008 01:51:44 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Sun May 18, 2008 2:53 am Post subject: |
|
|
Hello mkicon,
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\vsiiersb.dll
C:\WINDOWS\cfgall.ini
C:\WINDOWS\DCEBoot.exe
- Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Next:
You have an outdated version of Java which, because of security reasons, needs to be updated. To update Java:
- Download the latest version of Java Runtime Environment (JRE) 6u6 from
HERE
and save it to your Desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove ALL older versions of Java by checking any item, one at a time, with Java Runtime Environment (JRE or J2SE) in the name. It should have the coffee cup icon next to it.
- For each item that you check, click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove ALL of the Java versions.
- REBOOT your computer once ALL Java components are removed.
- Then from your Desktop, double-click on the newly-downloaded Java file to install the newest version.
Next:
Download Malwarebytes' Anti-Malware from HERE or from HERE
Double-click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware; then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform full scan"; then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked and click Remove Selected.
- When disinfection is completed, a log will open in Notepad. You may be prompted to Restart (See Extra Note).
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Please post back with:
OTMovit Log
MBAM Log
A new HiJackThis Log
A description of how is your system is running
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
Deacon10
1st Responder
Premium Member
Joined: Aug 27, 2007
Posts: 877
Location: Florida
|
| Posted: Fri May 23, 2008 11:16 pm Post subject: |
|
|
Due to a lack of response ... I am marking this topic as "Done".
_________________
Deacon10
"Hindsight explains the injury that foresight would have prevented”
|
|
| Back to top |
|
|
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17293
| |
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
