Morphling

Members
  • Content Count

    48
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Morphling

  • Rank
    Advanced Member
  1. Really sorry for the triple post but i just updated to Service pack 3. Now C:/WINDOWS/system32/svchost.exe is clean in the virscan.org report. My SpywareGuard Alerted me for some BHO and i didn't know what it was so i removed it. NEW BHO DETECTION ALERT On 16:13:07 12/08/2008 a new BHO installation attempt was detected. BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} ProgramID: n/a File Location: n/a User Action Taken: REMOVE BHO
  2. Sorry for the double post. By the way i think i reinfected myself when my small bro downloaded a file that makes BitTorrent run faster. I ran virscan.org with that file and it had many trojans. So i deleted it straight away. The lavasoft support site wasn't working so i ran a MBAM scan and that seems to have fixed it. Here is the Log : Malwarebytes' Anti-Malware 1.31 Database version: 1472 Windows 5.1.2600 8/12/2008 1:42:29 PM mbam-log-2008-12-08 (13-42-29).txt Scan type: Quick Scan Objects scanned: 43849 Time elapsed: 3 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9b71d88c-c598-4935-c5d1-43aa4db90836} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Bifrost\server.exe (Backdoor.Bifrose) -> Quarantined and deleted successfully.
  3. I seemed to have reinfected, or maybe i never got rid of it, myself after a friendly member guided me in removing the malware. Here is the Hijackthis Log : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:51:48 AM, on 8/12/2008 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\alg.exe C:\Program Files\BitTorrent\BitTorrent.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm -- End of file - 2626 bytes Here is the Virscan.org Report : VirSCAN.org Scanned Report : Scanned time : 2008/01/28 21:04:03 (EST) Scanner results: 6% Scanner(2/36) found malware! File Name : svchost.exe File Size : 12800 byte File Type : MS-DOS executable (EXE), OS/2 or MS Windows MD5 : 0f7d9c87b0ce1fa520473119752c6f79 SHA1 : 1e1de0781b4d84120ad0f48599f89da95f26ad7a Online report : http://virscan.org/report/969cb4c5db1bcda6...07a02c792f.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 3.0.0.126 2008.01.27 2008-01-27 4.17 - AhnLab V3 2008.01.23.11 2008.01.23 2008-01-23 2.04 - AntiVir 7.6.0.56 7.0.2.54 2008-01-28 10.88 - Arcavir 1.0.4 200801271933 2008-01-27 8.73 - AVAST! 1.0.8 080127-1 2008-01-27 11.86 - AVG 7.5.51.442 269.19.13/1246 2008-01-27 10.63 - BitDefender 7.60825.977600 7.17182 2008-01-28 28.91 - CA (VET) 9.0.0.143 31.3.5486 2008-01-26 6.44 - ClamAV 0.92 5577 2008-01-28 1.10 - Comodo 2.11 2.0.0.417 2008-01-27 2.96 - CP Secure 1.1.0.695 2008.01.27 2008-01-27 45.66 - Dr.Web 4.44.0.9170 2008.01.28 2008-01-28 33.96 - ewido 4.0.0.2 2008.01.27 2008-01-27 4.66 - F-Prot 4.4.1.52 20080127 2008-01-27 12.78 - F-Secure 5.51.6100 2008.01.27.02 2008-01-27 21.40 - Fortinet 2.81-3.11 8.684 2008-01-28 2.92 - ViRobot 20080128 2008.01.28 2008-01-28 2.00 - Ikarus T3.1.01.15 2008.01.28.70214 2008-01-28 2.54 - JiangMin 10.00.650 2008.01.28 2008-01-28 1.79 - Kaspersky 5.5.10 2008.01.28 2008-01-28 29.22 - KingSoft 2007.6.20.249 2008.1.28 2008-01-28 1.57 - McAfee 5.2.00 5216 2008-01-25 5.78 - mks_vir 2.01 2008.01.27 2008-01-27 13.01 - NOD32 2.70.10 2822 2008-01-25 0.00 - Norman 5.91.10 5.90 2008-01-23 23.81 - Panda 9.04.03.0001 2008.01.27 2008-01-27 4.62 - Trend Micro 8.500-1001 4.966.06 2008-01-28 0.11 - Prevx V2 20080128 2008-01-28 3.53 TROJAN.DOWNLOADER.GEN Quick Heal 9.00 2008.01.25 2008-01-25 3.57 - Rising 19.0 20.28.62.00 2008-01-27 2.58 - Sophos 2.53.1 4.25 2008-01-24 20.80 - Symantec 1.3.0.24 20080127.003 2008-01-27 0.23 - nProtect 2008-01-28.00 1153795 2008-01-28 6.96 - The Hacker 6.2.9 v00200 2008-01-27 2.44 Trojan/Patched.bh VBA32 3.12.2.5 20080127.2339 2008-01-27 6.74 - VirusBuster 4.3.19:9 9.120.12/11.0 2008-01-27 8.73 -
  4. Done uninstalling all Combofix and done OTCleanIT. Thanks once again for the help. New Captain (Fabregas) means Premiership is ours. You can close the thread if you want.
  5. Yeah. I think it was hard to get rid of it before because i kept reinfecting my computer with my infected USB. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:01:52 AM, on 28/11/2008 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\BitTorrent\BitTorrent.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 2594 bytes
  6. I can't do an online Kaspersky scan because for Java runtime to work i need Windows XP SP1 but i only have Version 2002. Since my net is capped (Brother downloaded so many movies, =.="), downloading the new Service Pack will take forever (like literally). I'll scan with Kaspersky once im uncapped (8th December). There doesn't seem to be any problems though.
  7. Oh. Didn't know i was meant to do a Kaspersky scan. Will do it now. My net is uncapped on 8th of December so Virscan.org uploading still says "Est speed : 0 KBs" and "Est. Time Left : 16+ hours". I think the svchost.exe CPU usage is high when Windows update is running.
  8. There seems to be no signs of infections. Only two problems though : 1. svchost.exe (NETWORK SERVICE) takes 90%+ CPU Usage. I am forced to end the process and then my Computer works perfectly fine. 2. A couple of hours after opening SpwareGuard, it dissappears from my tray but sgbhp.exe and sgmain still run in my Task Manager. Thanks again for all the help.
  9. Malwarebytes' Anti-Malware 1.30 Database version: 1421 Windows 5.1.2600 25/11/2008 1:09:56 PM mbam-log-2008-11-25 (13-09-56).txt Scan type: Quick Scan Objects scanned: 42724 Time elapsed: 3 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  10. ComboFix 08-11-23.02 - Mahamed 2008-11-25 12:36:22.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.218 [GMT 11:00] Running from: c:\documents and settings\Mahamed\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mahamed\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\Mahamed\drwvas.exe c:\documents and settings\Mahamed\S87ekhV.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Mahamed\drwvas.exe c:\documents and settings\Mahamed\S87ekhV.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hpt3xx ((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 ))))))))))))))))))))))))))))))) . 2008-11-25 11:40 . 2008-11-25 11:40 <DIR> d-------- c:\windows\ERUNT 2008-11-25 11:39 . 2008-11-25 12:08 <DIR> d-------- C:\SDFix 2008-11-25 11:39 . 2008-11-25 11:39 <DIR> d-------- c:\documents and settings\Administrator 2008-11-25 08:43 . 2008-11-25 08:43 <DIR> d---s---- c:\windows\system32\config\systemprofile\UserData 2008-11-24 18:51 . 2008-11-24 21:00 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-24 18:51 . 2008-11-24 19:08 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-24 16:57 . 2008-11-24 16:57 <DIR> d-------- c:\windows\system32\bits 2008-11-24 16:56 . 2004-07-02 09:08 361,984 --a--c--- c:\windows\system32\dllcache\qmgr.dll 2008-11-24 16:56 . 2004-07-02 09:08 331,776 --a------ c:\windows\system32\winhttp.dll 2008-11-24 16:56 . 2004-07-01 10:59 158,720 --------- c:\windows\system32\xpob2res.dll 2008-11-24 16:56 . 2004-07-02 09:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll 2008-11-24 16:56 . 2004-07-02 09:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,680 -----c--- c:\windows\system32\dllcache\bitsprx2.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,680 --------- c:\windows\system32\bitsprx2.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,168 -----c--- c:\windows\system32\dllcache\bitsprx3.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,168 --------- c:\windows\system32\bitsprx3.dll 2008-11-24 16:44 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll 2008-11-24 16:44 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll 2008-11-24 16:44 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl 2008-11-24 16:44 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll 2008-11-24 16:44 . 2004-08-03 14:03 186,136 --a------ c:\windows\system32\wuaueng1.dll 2008-11-24 16:44 . 2004-08-03 14:01 167,704 --a------ c:\windows\system32\wuauclt1.exe 2008-11-24 16:44 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll 2008-11-24 14:01 . 2008-11-24 14:01 <DIR> d-------- c:\program files\Gmer 2008-11-24 14:01 . 2008-11-24 14:20 250 --a------ c:\windows\gmer.ini 2008-11-23 21:48 . 2008-11-23 21:48 <DIR> d-------- c:\documents and settings\Mahamed\Application Data\Microsoft Web Folders 2008-11-23 16:26 . 2008-11-23 16:26 <DIR> d-------- c:\documents and settings\Mahamed\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-25 00:28 12,800 ----a-w c:\windows\system32\svchost.exe 2008-11-23 10:47 --------- d-----w c:\program files\microsoft frontpage 2008-11-23 05:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-11-23 05:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 05:22 --------- d-----w c:\program files\Trend Micro 2008-11-23 04:40 --------- d-----w c:\program files\DIFX 2008-11-23 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-10-22 05:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-22 05:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll . ((((((((((((((((((((((((((((( [email protected]_12.24.33.68 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 09:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2001-10-04 13312] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-04 13312] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-03-22 65588] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 12:39:30 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(608) c:\windows\system32\ODBC32.dll c:\windows\System32\rsaenh.dll - - - - - - - > 'lsass.exe'(668) c:\windows\System32\rsaenh.dll c:\windows\System32\dssenh.dll . Completion time: 2008-11-25 12:40:59 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-25 01:40:51 ComboFix2.txt 2008-11-25 01:25:21 Pre-Run: 75,417,096,192 bytes free Post-Run: 75,378,163,712 bytes free 104 --- E O F --- 2008-11-24 05:57:48
  11. My net is still capped so the uploading is going at 0 Kbps and est. time left is 12 hours and giong up. Should i just go onto the MBAM scan?
  12. ComboFix 08-11-23.02 - Mahamed 2008-11-25 12:22:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.221 [GMT 11:00] Running from: c:\documents and settings\Mahamed\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\wiaserviv.log . ((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 ))))))))))))))))))))))))))))))) . 2008-11-25 11:40 . 2008-11-25 11:40 <DIR> d-------- c:\windows\ERUNT 2008-11-25 11:39 . 2008-11-25 12:08 <DIR> d-------- C:\SDFix 2008-11-25 11:39 . 2008-11-25 11:39 <DIR> d-------- c:\documents and settings\Administrator 2008-11-25 08:43 . 2008-11-25 08:43 <DIR> d---s---- c:\windows\system32\config\systemprofile\UserData 2008-11-24 18:51 . 2008-11-24 21:00 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-24 18:51 . 2008-11-24 19:08 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-24 16:57 . 2008-11-24 16:57 <DIR> d-------- c:\windows\system32\bits 2008-11-24 16:56 . 2004-07-02 09:08 361,984 --a--c--- c:\windows\system32\dllcache\qmgr.dll 2008-11-24 16:56 . 2004-07-02 09:08 331,776 --a------ c:\windows\system32\winhttp.dll 2008-11-24 16:56 . 2004-07-01 10:59 158,720 --------- c:\windows\system32\xpob2res.dll 2008-11-24 16:56 . 2004-07-02 09:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll 2008-11-24 16:56 . 2004-07-02 09:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,680 -----c--- c:\windows\system32\dllcache\bitsprx2.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,680 --------- c:\windows\system32\bitsprx2.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,168 -----c--- c:\windows\system32\dllcache\bitsprx3.dll 2008-11-24 16:56 . 2004-07-02 09:08 7,168 --------- c:\windows\system32\bitsprx3.dll 2008-11-24 16:44 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll 2008-11-24 16:44 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll 2008-11-24 16:44 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl 2008-11-24 16:44 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll 2008-11-24 16:44 . 2004-08-03 14:03 186,136 --a------ c:\windows\system32\wuaueng1.dll 2008-11-24 16:44 . 2004-08-03 14:01 167,704 --a------ c:\windows\system32\wuauclt1.exe 2008-11-24 16:44 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll 2008-11-24 14:01 . 2008-11-24 14:01 <DIR> d-------- c:\program files\Gmer 2008-11-24 14:01 . 2008-11-24 14:20 250 --a------ c:\windows\gmer.ini 2008-11-23 21:48 . 2008-11-23 21:48 <DIR> d-------- c:\documents and settings\Mahamed\Application Data\Microsoft Web Folders 2008-11-23 18:05 . 2008-11-23 18:05 75,039 --a------ c:\documents and settings\Mahamed\S87ekhV.exe 2008-11-23 18:05 . 2008-11-23 18:05 12,800 --a------ c:\documents and settings\Mahamed\drwvas.exe 2008-11-23 16:26 . 2008-11-23 16:26 <DIR> d-------- c:\documents and settings\Mahamed\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-25 00:28 12,800 ----a-w c:\windows\system32\svchost.exe 2008-11-23 10:47 --------- d-----w c:\program files\microsoft frontpage 2008-11-23 05:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-11-23 05:25 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-23 05:22 --------- d-----w c:\program files\Trend Micro 2008-11-23 04:40 --------- d-----w c:\program files\DIFX 2008-11-23 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-10-22 05:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-22 05:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2001-10-04 13312] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-04 13312] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-03-22 65588] S4 hpt3xx;hpt3xx; [] *Newly Created Service* - ALG *Newly Created Service* - IPNAT *Newly Created Service* - PROCEXP90 *Newly Created Service* - SHAREDACCESS . - - - - ORPHANS REMOVED - - - - Notify-nharyqcj - nharyqcj32.dll SafeBoot-Winxe83.sys . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Mahamed\Application Data\Mozilla\Firefox\Profiles\yf1jfh2e.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 12:24:10 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(604) c:\windows\system32\ODBC32.dll c:\windows\System32\rsaenh.dll - - - - - - - > 'lsass.exe'(660) c:\windows\System32\rsaenh.dll c:\windows\System32\dssenh.dll . Completion time: 2008-11-25 12:25:19 ComboFix-quarantined-files.txt 2008-11-25 01:25:16 Pre-Run: 75,436,298,240 bytes free Post-Run: 75,428,724,736 bytes free WinXP_EN_PRO_BF.EXE [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect 113 --- E O F --- 2008-11-24 05:57:48
  13. Sorry for not reading your steps properly. I ran SDFix in administrator instead of my usual account. Am going to scan again in normal account. Here is the Report in Administrator account : Sorry once again. SDFix: Version 1.240 Run by Administrator on Tue 25/11/2008 at 11:42 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Rootkit Found : C:\WINDOWS\system32\drivers\ATI1QVXX.sys - Rootkit Pandex/Cutwail - Protect.sys Name : FCI ICF ATI1QVXX Path : C:\WINDOWS\System32\svchost.exe:ext.exe C:\WINDOWS\System32\svchost.exe:ext.exe System32\Drivers\ati1qvxx.sys FCI - Deleted ICF - Deleted ATI1QVXX - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Service FCI - Deleted after Reboot Service ICF - Deleted after Reboot Service ATI1QVXX - Deleted after Reboot Checking Files : Trojan Files Found: C:\WINDOWS\system32\NHARYQCJ.dll - Deleted C:\WINDOWS\system32\NHARYQ~1.dll - Deleted C:\WINDOWS\wiaservv.log - Deleted C:\WINDOWS\system32\drivers\ATI1QVXX.sys - Deleted Removing Temp Files ADS Check : C:\WINDOWS\system32\svchost.exe : ADS Found! svchost.exe: deleted 25600 bytes in 1 streams. Checking for remaining Streams C:\WINDOWS\system32\svchost.exe No streams found. Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 11:51:24 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\backup\svchost.exe:ext.exe 25088 bytes executable scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1 Remaining Services : ATI1QVXX Authorized Application Key Export: Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 25 Nov 2008 120,590,081 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\download\BIT15.tmp" Finished!
  14. I think i got the infection while removing the virus from the USB's. Going to do SDfix now.