Sign in to follow this  
ingez

Infected by Virtumonde and other MRUs - please HELP

Recommended Posts

IE pages are re-directed, etc. Keep running NAV, Ad-Aware (latest version), Spybot - it cleans up mess, but malware keeps popping up again and again...

Also removed the old version of Java and reinstalled the latest one.

 

Log fle is below.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:55 PM, on 11/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\Fonts\svchost.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [1067cd81] rundll32.exe "C:\WINDOWS\system32\jtmhhhqo.dll",b

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwoc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/CoreportSsoClient.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 8730 bytes

Share this post


Link to post
Share on other sites

Hi,

 

* Download ComboFix from here.

**Save it to your desktop**

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

 

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

1) HERE IS THE NEW Hijack file :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:22:27 PM, on 11/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\Fonts\svchost.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [1067cd81] rundll32.exe "C:\WINDOWS\system32\uekhubyt.dll",b

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwoc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/CoreportSsoClient.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 8686 bytes

 

 

HERE IS THE COMBOFIX.txt FIle :

 

ComboFix 07-11-08.1 - Inna Zatulovsky 2007-11-13 15:37:04.1 - NTFSx86

Running from: C:\Documents and Settings\Inna Zatulovsky\Desktop\My Downloads\ComboFix.exe

* Created a new restore point

.

 

Unable to gain System Privileges

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

c:\documents and settings\inna zatulovsky\favorites\Online Security Guide.lnk

C:\WINDOWS\cookies.ini

C:\WINDOWS\mrofinu1188.exe

C:\WINDOWS\system32\drivers\fad.sys

C:\WINDOWS\system32\pac.txt

C:\WINDOWS\SYSTEM32\qpqss.bak1

C:\WINDOWS\SYSTEM32\qpqss.bak2

C:\WINDOWS\SYSTEM32\qpqss.ini

C:\WINDOWS\SYSTEM32\qpqss.ini2

C:\WINDOWS\SYSTEM32\qpqss.tmp

C:\WINDOWS\system32\ssqpq.dll

C:\WINDOWS\SYSTEM32\stvwa.bak1

C:\WINDOWS\SYSTEM32\stvwa.bak2

C:\WINDOWS\SYSTEM32\stvwa.ini

C:\WINDOWS\SYSTEM32\stvwa.ini2

C:\WINDOWS\SYSTEM32\stvwa.tmp

C:\z.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))

.

 

2007-11-13 15:33 115,208 --a------ C:\WINDOWS\SYSTEM32\xvuwrgja.dll

2007-11-13 15:31 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-12 23:45 80,448 --a------ C:\WINDOWS\SYSTEM32\jkeogwpx.dll

2007-11-12 23:42 88,128 --a------ C:\WINDOWS\SYSTEM32\uekhubyt.dll

2007-11-12 19:45 <DIR> d-------- C:\Program Files\Trend Micro

2007-11-12 18:46 <DIR> d-------- C:\VundoFix Backups

2007-11-12 18:16 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-12 09:43 36,352 --a------ C:\WINDOWS\SYSTEM32\pmnklif.dll

2007-11-11 23:42 81,472 --a------ C:\WINDOWS\SYSTEM32\lvupxqcc.dll

2007-11-10 11:48 <DIR> d-------- C:\Program Files\Lavasoft

2007-11-10 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-10 11:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-10 11:31 36,352 --a------ C:\WINDOWS\SYSTEM32\gebyxur.dll

2007-11-09 23:03 81,472 --a------ C:\WINDOWS\SYSTEM32\jydtkaea.dll

2007-11-09 08:35 77,888 --a------ C:\WINDOWS\SYSTEM32\xclqbllv.dll

2007-11-09 08:27 35,328 --a------ C:\WINDOWS\SYSTEM32\ddcaxuu.dll

2007-11-08 23:03 77,888 --a------ C:\WINDOWS\SYSTEM32\imwsciin.dll

2007-11-08 22:51 437,872 --a------ C:\Documents and Settings\Inna Zatulovsky\z.dat

2007-11-08 22:51 35,328 --a------ C:\WINDOWS\SYSTEM32\xxyxxxw.dll

2007-11-08 22:51 17,523 --a------ C:\Documents and Settings\Inna Zatulovsky\x.dat

2007-11-08 22:51 0 --a------ C:\x.dat

2007-11-08 22:50 172,032 --a------ C:\winlogon.exe

2007-11-08 10:35 80,448 --a------ C:\WINDOWS\SYSTEM32\nblcjngk.dll

2007-11-07 16:32 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-11-07 16:10 35,328 --a------ C:\WINDOWS\SYSTEM32\iifccde.dll

2007-11-06 22:28 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll

2007-11-06 22:26 134 --a------ C:\n.bat

2007-11-06 22:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz18r

2007-11-06 22:25 <DIR> d-------- C:\Temp\mZOr

2007-11-06 22:25 35,328 --a------ C:\WINDOWS\SYSTEM32\awtqoli.dll

2007-11-06 22:25 0 --a------ C:\z.dat

2007-11-06 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-04 23:43 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Shared

2007-11-04 23:42 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Incomplete

2007-11-04 23:42 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Application Data\LimeWire

2007-11-04 23:39 <DIR> d-------- C:\Program Files\LimeWire

2007-10-30 19:55 625,032 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll

2007-10-30 19:55 242,056 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll

2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys

2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys

2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys

2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys

2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys

2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys

2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-13 23:56 --------- d-----w C:\Program Files\Plaxo

2007-11-13 02:18 --------- d-----w C:\Program Files\Java

2007-11-10 21:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-11-10 21:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-11-10 21:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-11-10 21:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-11-10 21:15 --------- d-----w C:\Program Files\Symantec

2007-11-10 03:27 --------- d-----w C:\Documents and Settings\Inna Zatulovsky\Application Data\AdobeUM

2007-11-08 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-07 06:28 278,534 ----a-w C:\WINDOWS\Fonts\Setup.exe

2007-11-07 06:23 278,533 --sh--w C:\WINDOWS\Fonts\svchost.exe

2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat

2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf

2007-09-23 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-09-23 15:39 --------- d-----w C:\Program Files\Norton AntiVirus

2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat

2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat

2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat

2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf

2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf

2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf

2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys

2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys

2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys

2007-09-16 01:46 --------- d-----w C:\Program Files\Windows Installer Clean Up

2007-09-16 01:45 --------- d-----w C:\Program Files\MSECACHE

2007-09-16 00:04 --------- d-----w C:\Documents and Settings\Inna Zatulovsky\Application Data\Skype

2006-05-12 05:16 150,912 ----a-w C:\Documents and Settings\Inna Zatulovsky\Application Data\GDIPFONTCACHEV1.DAT

2004-01-08 05:17 11,401 ----a-w C:\Program Files\GAL2SET.LOG

2004-01-05 04:38 498 ----a-w C:\Program Files\FTW.ini

2004-01-05 04:28 29,364 ----a-w C:\Program Files\Uninst.isu

2001-10-30 17:00 94,179 ----a-w C:\Program Files\FF_TIPS.HLP

2001-10-30 17:00 90,112 ----a-w C:\Program Files\Ftwbub32.dll

2001-10-30 17:00 803,680 ----a-w C:\Program Files\AXDIST.EXE

2001-10-30 17:00 77,824 ----a-w C:\Program Files\lffax10N.dll

2001-10-30 17:00 74,240 ----a-w C:\Program Files\infolink.dll

2001-10-30 17:00 690,472 ----a-w C:\Program Files\FTW32.HLP

2001-10-30 17:00 69,632 ----a-w C:\Program Files\Imaging.dll

2001-10-30 17:00 653,100 ----a-w C:\Program Files\MAPLOCS.HLP

2001-10-30 17:00 61,440 ----a-w C:\Program Files\aqueduct.dll

2001-10-30 17:00 58,368 ----a-w C:\Program Files\lfwmf10N.dll

2001-10-30 17:00 57,344 ----a-w C:\Program Files\pgcntl32.dll

2001-10-30 17:00 57,344 ----a-w C:\Program Files\Ftosub.exe

2001-10-30 17:00 56,320 ----a-w C:\Program Files\lfpsd10N.dll

2001-10-30 17:00 507,904 ----a-w C:\Program Files\Ftwstr32.dll

2001-10-30 17:00 5,832,704 ----a-w C:\Program Files\Ftw.exe

2001-10-30 17:00 5,619,712 ----a-w C:\Program Files\Ftwbmp32.dll

2001-10-30 17:00 48,640 ----a-w C:\Program Files\launch32.dll

2001-10-30 17:00 48,640 ----a-w C:\Program Files\INETWH32.dll

2001-10-30 17:00 45,900 ----a-w C:\Program Files\LINCOLN.BMP

2001-10-30 17:00 435,200 ----a-w C:\Program Files\ftwsys.bin

2001-10-30 17:00 4,532,896 ----a-w C:\Program Files\GENEHP32.HLP

2001-10-30 17:00 38,912 ----a-w C:\Program Files\FTOINST.EXE

2001-10-30 17:00 36,864 ----a-w C:\Program Files\FtwTlbr.dll

2001-10-30 17:00 35,840 ----a-w C:\Program Files\lttwn10N.dll

2001-10-30 17:00 35,840 ----a-w C:\Program Files\lflma10N.dll

2001-10-30 17:00 34,304 ----a-w C:\Program Files\lfbmp10N.dll

2001-10-30 17:00 338,944 ----a-w C:\Program Files\lffpx7.dll

2001-10-30 17:00 337 ----a-w C:\Program Files\Readme32.cnt

2001-10-30 17:00 331,776 ----a-w C:\Program Files\pg30.dll

2001-10-30 17:00 33,280 ----a-w C:\Program Files\lfpcx10N.dll

2001-10-30 17:00 32,768 ----a-w C:\Program Files\Ftwmsc32.dll

2001-10-30 17:00 31,744 ----a-w C:\Program Files\lflmb10N.dll

2001-10-30 17:00 297,472 ----a-w C:\Program Files\ltkrn10N.dll

2001-10-30 17:00 28,672 ----a-w C:\Program Files\Ftwskc32.dll

2001-10-30 17:00 28,672 ----a-w C:\Program Files\Ftwsk32.dll

2001-10-30 17:00 274,432 ----a-w C:\Program Files\KinRes.dll

2001-10-30 17:00 27,136 ----a-w C:\Program Files\lfimg10N.dll

2001-10-30 17:00 266,752 ----a-w C:\Program Files\LFCMP10N.DLL

2001-10-30 17:00 26,112 ----a-w C:\Program Files\lfpcd10N.dll

2001-10-30 17:00 25,744 ----a-w C:\Program Files\Ftw32.cnt

2001-10-30 17:00 245,760 ----a-w C:\Program Files\ftwwrp32.dll

2001-10-30 17:00 231,424 ----a-w C:\Program Files\LTDIS10N.dll

2001-10-30 17:00 23,981 ----a-w C:\Program Files\README32.HLP

2001-10-30 17:00 23,120 ----a-w C:\Program Files\pkwdcl.dll

2001-10-30 17:00 212,480 ----a-w C:\Program Files\PCDLIB32.DLL

2001-10-30 17:00 196,608 ----a-w C:\Program Files\TextEditor.dll

2001-10-30 17:00 17,920 ----a-w C:\Program Files\implode.dll

2001-10-30 17:00 158,560 ----a-w C:\Program Files\APRXDIST.EXE

2001-10-30 17:00 150,528 ----a-w C:\Program Files\ssce5132.dll

2001-10-30 17:00 131 ----a-w C:\Program Files\prd.bin

2001-10-30 17:00 122,880 ----a-w C:\Program Files\LFKODAK.DLL

2001-10-30 17:00 122,368 ----a-w C:\Program Files\lftif10N.dll

2001-10-30 17:00 114,176 ----a-w C:\Program Files\ltimg10N.dll

2001-10-30 17:00 11,120 ----a-w C:\Program Files\License.txt

2001-10-30 17:00 11,120 ----a-w C:\Program Files\license.doc

2001-10-30 17:00 103,424 ----a-w C:\Program Files\ltfil10N.DLL

2001-10-30 17:00 100,352 ----a-w C:\Program Files\lffpx10N.dll

2001-10-30 17:00 10,432 ----a-w C:\Program Files\winsock.aol

2001-10-30 17:00 1,445,888 ----a-w C:\Program Files\ftwmfc.dll

1995-11-10 08:00 5,813 ----a-w C:\Program Files\README.TXT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]

2007-11-06 22:25 35328 --a------ C:\WINDOWS\system32\awtqoli.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78DCEF3E-192D-4AD0-848D-A0FD600A2E6E}]

2007-11-13 16:01 313440 --a------ C:\WINDOWS\system32\vturs.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f15994d4-5185-4b60-8c4f-e29411759fcc}]

2007-11-12 23:45 80448 --a------ C:\WINDOWS\system32\jkeogwpx.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 23:04]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]

"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]

"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-06 22:23]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"1067cd81"="C:\WINDOWS\system32\uekhubyt.dll" [2007-11-12 23:42]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 12:42]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 18:05]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\awtqoli.dll [2007-11-06 22:25 35328]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqoli]

awtqoli.dll 2007-11-06 22:25 35328 C:\WINDOWS\SYSTEM32\awtqoli.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturs.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk

backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Inna Zatulovsky^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=C:\Documents and Settings\Inna Zatulovsky\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Inna Zatulovsky^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=C:\Documents and Settings\Inna Zatulovsky\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1067cd81]

rundll32.exe "C:\WINDOWS\system32\uygjjupq.dll",b

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

"C:\Program Files\DellSupport\DSAgnt.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Dell\Media Experience\PCMService.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1

 

 

.

Contents of the 'Scheduled Tasks' folder

"2007-11-12 15:36:31 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Inna Zatulovsky.job"

- C:\Program Files\Norton AntiVirus\Navw32.exe

.

**************************************************************************

 

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-13 15:57:42

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\srutv.ini 317 bytes

C:\WINDOWS\system32\srutv.ini2 317 bytes

C:\WINDOWS\system32\vturs.dll 313440 bytes executable

 

scan completed successfully

hidden files: 3

 

**************************************************************************

.

Completion time: 2007-11-13 16:06:08 - machine was rebooted

.

--- E O F ---

 

 

 

 

 

 

 

Hi,

 

* Download ComboFix from here.

**Save it to your desktop**

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

 

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Hi,

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\WINDOWS\system32\srutv.ini

C:\WINDOWS\system32\srutv.ini2

C:\WINDOWS\system32\vturs.dll

C:\WINDOWS\system32\uygjjupq.dll

C:\WINDOWS\Fonts\Setup.exe

C:\WINDOWS\Fonts\svchost.exe

C:\WINDOWS\SYSTEM32\awtqoli.dll

C:\z.dat

C:\WINDOWS\SYSTEM32\nblcjngk.dll

C:\WINDOWS\SYSTEM32\iifccde.dll

C:\WINDOWS\SYSTEM32\vbzip10.dll

C:\n.bat

C:\WINDOWS\SYSTEM32\xvuwrgja.dll

C:\WINDOWS\SYSTEM32\jkeogwpx.dll

C:\WINDOWS\SYSTEM32\uekhubyt.dll

C:\WINDOWS\SYSTEM32\pmnklif.dll

C:\WINDOWS\SYSTEM32\lvupxqcc.dll

C:\WINDOWS\SYSTEM32\gebyxur.dll

C:\WINDOWS\SYSTEM32\jydtkaea.dll

C:\WINDOWS\SYSTEM32\xclqbllv.dll

C:\WINDOWS\SYSTEM32\ddcaxuu.dll

C:\WINDOWS\SYSTEM32\imwsciin.dll

C:\Documents and Settings\Inna Zatulovsky\z.dat

C:\WINDOWS\SYSTEM32\xxyxxxw.dll

C:\Documents and Settings\Inna Zatulovsky\x.dat

C:\x.dat

 

Folder::

C:\WINDOWS\SYSTEM32\Mz18r

C:\Temp\mZOr

C:\VundoFix Backups

 

Collect::[8]

C:\winlogon.exe

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78DCEF3E-192D-4AD0-848D-A0FD600A2E6E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f15994d4-5185-4b60-8c4f-e29411759fcc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Host Process"=-

"1067cd81"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqoli]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Inna Zatulovsky^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1067cd81]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again.

 

* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip

* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.

* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.

 

 

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Extra question - Your Norton Antivirus, is it a trial or did you purchase it? Is it up to date? Because it suprises me that it is still not detecting a certain file although I have sent them the sample already for a couple of times.

Share this post


Link to post
Share on other sites

1) Here is the Combofix file :

 

ComboFix 07-11-08.1 - Inna Zatulovsky 2007-11-13 17:35:04.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.161 [GMT -8:00]

Running from: C:\Documents and Settings\Inna Zatulovsky\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Inna Zatulovsky\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\Documents and Settings\Inna Zatulovsky\x.dat

C:\Documents and Settings\Inna Zatulovsky\z.dat

C:\n.bat

C:\WINDOWS\Fonts\Setup.exe

C:\WINDOWS\Fonts\svchost.exe

C:\WINDOWS\SYSTEM32\awtqoli.dll

C:\WINDOWS\SYSTEM32\ddcaxuu.dll

C:\WINDOWS\SYSTEM32\gebyxur.dll

C:\WINDOWS\SYSTEM32\iifccde.dll

C:\WINDOWS\SYSTEM32\imwsciin.dll

C:\WINDOWS\SYSTEM32\jkeogwpx.dll

C:\WINDOWS\SYSTEM32\jydtkaea.dll

C:\WINDOWS\SYSTEM32\lvupxqcc.dll

C:\WINDOWS\SYSTEM32\nblcjngk.dll

C:\WINDOWS\SYSTEM32\pmnklif.dll

C:\WINDOWS\system32\srutv.ini

C:\WINDOWS\system32\srutv.ini2

C:\WINDOWS\SYSTEM32\uekhubyt.dll

C:\WINDOWS\system32\uygjjupq.dll

C:\WINDOWS\SYSTEM32\vbzip10.dll

C:\WINDOWS\system32\vturs.dll

C:\WINDOWS\SYSTEM32\xclqbllv.dll

C:\WINDOWS\SYSTEM32\xvuwrgja.dll

C:\WINDOWS\SYSTEM32\xxyxxxw.dll

C:\x.dat

C:\z.dat

.

 

Unable to gain System Privileges

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Inna Zatulovsky\x.dat

C:\Documents and Settings\Inna Zatulovsky\z.dat

C:\n.bat

C:\Temp\mZOr

C:\VundoFix Backups

C:\WINDOWS\cookies.ini

C:\WINDOWS\Fonts\Setup.exe

C:\WINDOWS\Fonts\svchost.exe

C:\WINDOWS\SYSTEM32\awtqoli.dll

C:\WINDOWS\SYSTEM32\ddcaxuu.dll

C:\WINDOWS\SYSTEM32\gebyxur.dll

C:\WINDOWS\SYSTEM32\iifccde.dll

C:\WINDOWS\SYSTEM32\imwsciin.dll

C:\WINDOWS\SYSTEM32\jkeogwpx.dll

C:\WINDOWS\SYSTEM32\jydtkaea.dll

C:\WINDOWS\SYSTEM32\lvupxqcc.dll

C:\WINDOWS\SYSTEM32\Mz18r

C:\WINDOWS\SYSTEM32\nblcjngk.dll

C:\WINDOWS\SYSTEM32\pmnklif.dll

C:\WINDOWS\system32\srutv.ini

C:\WINDOWS\system32\srutv.ini2

C:\WINDOWS\SYSTEM32\uekhubyt.dll

C:\WINDOWS\SYSTEM32\vbzip10.dll

C:\WINDOWS\system32\vturs.dll

C:\WINDOWS\SYSTEM32\xclqbllv.dll

C:\WINDOWS\SYSTEM32\xvuwrgja.dll

C:\WINDOWS\SYSTEM32\xxyxxxw.dll

C:\winlogon.exe

C:\x.dat

C:\z.dat

 

.

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))

.

 

2007-11-13 15:58 37,376 --a------ C:\WINDOWS\SYSTEM32\pmnomml.dll

2007-11-13 15:31 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-12 19:45 <DIR> d-------- C:\Program Files\Trend Micro

2007-11-12 18:16 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-10 11:48 <DIR> d-------- C:\Program Files\Lavasoft

2007-11-10 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-10 11:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-07 16:32 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-11-06 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-04 23:43 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Shared

2007-11-04 23:42 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Incomplete

2007-11-04 23:42 <DIR> d-------- C:\Documents and Settings\Inna Zatulovsky\Application Data\LimeWire

2007-11-04 23:39 <DIR> d-------- C:\Program Files\LimeWire

2007-10-30 19:55 625,032 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll

2007-10-30 19:55 242,056 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll

2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys

2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys

2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys

2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys

2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys

2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys

2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-14 01:49 --------- d-----w C:\Program Files\Plaxo

2007-11-13 02:18 --------- d-----w C:\Program Files\Java

2007-11-10 21:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-11-10 21:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-11-10 21:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-11-10 21:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-11-10 21:15 --------- d-----w C:\Program Files\Symantec

2007-11-10 03:27 --------- d-----w C:\Documents and Settings\Inna Zatulovsky\Application Data\AdobeUM

2007-11-08 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat

2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf

2007-09-23 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-09-23 15:39 --------- d-----w C:\Program Files\Norton AntiVirus

2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat

2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat

2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat

2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf

2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf

2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf

2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys

2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys

2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys

2007-09-16 01:46 --------- d-----w C:\Program Files\Windows Installer Clean Up

2007-09-16 01:45 --------- d-----w C:\Program Files\MSECACHE

2007-09-16 00:04 --------- d-----w C:\Documents and Settings\Inna Zatulovsky\Application Data\Skype

2006-05-12 05:16 150,912 ----a-w C:\Documents and Settings\Inna Zatulovsky\Application Data\GDIPFONTCACHEV1.DAT

2004-01-08 05:17 11,401 ----a-w C:\Program Files\GAL2SET.LOG

2004-01-05 04:38 498 ----a-w C:\Program Files\FTW.ini

2004-01-05 04:28 29,364 ----a-w C:\Program Files\Uninst.isu

2001-10-30 17:00 94,179 ----a-w C:\Program Files\FF_TIPS.HLP

2001-10-30 17:00 90,112 ----a-w C:\Program Files\Ftwbub32.dll

2001-10-30 17:00 803,680 ----a-w C:\Program Files\AXDIST.EXE

2001-10-30 17:00 77,824 ----a-w C:\Program Files\lffax10N.dll

2001-10-30 17:00 74,240 ----a-w C:\Program Files\infolink.dll

2001-10-30 17:00 690,472 ----a-w C:\Program Files\FTW32.HLP

2001-10-30 17:00 69,632 ----a-w C:\Program Files\Imaging.dll

2001-10-30 17:00 653,100 ----a-w C:\Program Files\MAPLOCS.HLP

2001-10-30 17:00 61,440 ----a-w C:\Program Files\aqueduct.dll

2001-10-30 17:00 58,368 ----a-w C:\Program Files\lfwmf10N.dll

2001-10-30 17:00 57,344 ----a-w C:\Program Files\pgcntl32.dll

2001-10-30 17:00 57,344 ----a-w C:\Program Files\Ftosub.exe

2001-10-30 17:00 56,320 ----a-w C:\Program Files\lfpsd10N.dll

2001-10-30 17:00 507,904 ----a-w C:\Program Files\Ftwstr32.dll

2001-10-30 17:00 5,832,704 ----a-w C:\Program Files\Ftw.exe

2001-10-30 17:00 5,619,712 ----a-w C:\Program Files\Ftwbmp32.dll

2001-10-30 17:00 48,640 ----a-w C:\Program Files\launch32.dll

2001-10-30 17:00 48,640 ----a-w C:\Program Files\INETWH32.dll

2001-10-30 17:00 45,900 ----a-w C:\Program Files\LINCOLN.BMP

2001-10-30 17:00 435,200 ----a-w C:\Program Files\ftwsys.bin

2001-10-30 17:00 4,532,896 ----a-w C:\Program Files\GENEHP32.HLP

2001-10-30 17:00 38,912 ----a-w C:\Program Files\FTOINST.EXE

2001-10-30 17:00 36,864 ----a-w C:\Program Files\FtwTlbr.dll

2001-10-30 17:00 35,840 ----a-w C:\Program Files\lttwn10N.dll

2001-10-30 17:00 35,840 ----a-w C:\Program Files\lflma10N.dll

2001-10-30 17:00 34,304 ----a-w C:\Program Files\lfbmp10N.dll

2001-10-30 17:00 338,944 ----a-w C:\Program Files\lffpx7.dll

2001-10-30 17:00 337 ----a-w C:\Program Files\Readme32.cnt

2001-10-30 17:00 331,776 ----a-w C:\Program Files\pg30.dll

2001-10-30 17:00 33,280 ----a-w C:\Program Files\lfpcx10N.dll

2001-10-30 17:00 32,768 ----a-w C:\Program Files\Ftwmsc32.dll

2001-10-30 17:00 31,744 ----a-w C:\Program Files\lflmb10N.dll

2001-10-30 17:00 297,472 ----a-w C:\Program Files\ltkrn10N.dll

2001-10-30 17:00 28,672 ----a-w C:\Program Files\Ftwskc32.dll

2001-10-30 17:00 28,672 ----a-w C:\Program Files\Ftwsk32.dll

2001-10-30 17:00 274,432 ----a-w C:\Program Files\KinRes.dll

2001-10-30 17:00 27,136 ----a-w C:\Program Files\lfimg10N.dll

2001-10-30 17:00 266,752 ----a-w C:\Program Files\LFCMP10N.DLL

2001-10-30 17:00 26,112 ----a-w C:\Program Files\lfpcd10N.dll

2001-10-30 17:00 25,744 ----a-w C:\Program Files\Ftw32.cnt

2001-10-30 17:00 245,760 ----a-w C:\Program Files\ftwwrp32.dll

2001-10-30 17:00 231,424 ----a-w C:\Program Files\LTDIS10N.dll

2001-10-30 17:00 23,981 ----a-w C:\Program Files\README32.HLP

2001-10-30 17:00 23,120 ----a-w C:\Program Files\pkwdcl.dll

2001-10-30 17:00 212,480 ----a-w C:\Program Files\PCDLIB32.DLL

2001-10-30 17:00 196,608 ----a-w C:\Program Files\TextEditor.dll

2001-10-30 17:00 17,920 ----a-w C:\Program Files\implode.dll

2001-10-30 17:00 158,560 ----a-w C:\Program Files\APRXDIST.EXE

2001-10-30 17:00 150,528 ----a-w C:\Program Files\ssce5132.dll

2001-10-30 17:00 131 ----a-w C:\Program Files\prd.bin

2001-10-30 17:00 122,880 ----a-w C:\Program Files\LFKODAK.DLL

2001-10-30 17:00 122,368 ----a-w C:\Program Files\lftif10N.dll

2001-10-30 17:00 114,176 ----a-w C:\Program Files\ltimg10N.dll

2001-10-30 17:00 11,120 ----a-w C:\Program Files\License.txt

2001-10-30 17:00 11,120 ----a-w C:\Program Files\license.doc

2001-10-30 17:00 103,424 ----a-w C:\Program Files\ltfil10N.DLL

2001-10-30 17:00 100,352 ----a-w C:\Program Files\lffpx10N.dll

2001-10-30 17:00 10,432 ----a-w C:\Program Files\winsock.aol

2001-10-30 17:00 1,445,888 ----a-w C:\Program Files\ftwmfc.dll

1995-11-10 08:00 5,813 ----a-w C:\Program Files\README.TXT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 23:04]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]

"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-19 11:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 12:42]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 18:05]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk

backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Inna Zatulovsky^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

path=C:\Documents and Settings\Inna Zatulovsky\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk

backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

"C:\Program Files\DellSupport\DSAgnt.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Dell\Media Experience\PCMService.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1

 

 

.

Contents of the 'Scheduled Tasks' folder

"2007-11-12 15:36:31 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Inna Zatulovsky.job"

- C:\Program Files\Norton AntiVirus\Navw32.exe

.

**************************************************************************

 

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-13 17:48:49

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-13 17:56:05 - machine was rebooted

C:\ComboFix2.txt ... 2007-11-13 16:06

.

--- E O F ---

 

 

2) Here is the Hijack new file :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:25:28 PM, on 11/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwoc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/CoreportSsoClient.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

--

End of file - 8868 bytes

 

 

3) Yes, I have purchased NAV - it has 201 days until expiration.

 

 

 

Hi,

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again.

 

* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip

* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.

* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Extra question - Your Norton Antivirus, is it a trial or did you purchase it? Is it up to date? Because it suprises me that it is still not detecting a certain file although I have sent them the sample already for a couple of times.

Share this post


Link to post
Share on other sites

Hi,

 

Navigate to and delete the following file:

 

C:\WINDOWS\SYSTEM32\pmnomml.dll

 

3) Yes, I have purchased NAV - it has 201 days until expiration.
Well, then I hope they will be faster in adding detection, because I sent them the file C:\WINDOWS\Fonts\svchost.exe more than a week ago and it appears that they still aren't detecting it yet. The first couple of mails I received back from them was to tell me that there was no malicious content in that file. Then I asked to review it, but didn't receive anything back yet. It would be a pity if they are still thinking this file is OK/harmless.

 

Anyway, Combofix removed it. ;)

 

The rest of your logs look OK.

 

FIRST Step..

 

* Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

 

Paste the following bold part into the Suspicious File Packer window:

 

C:\Qoobox\quarantine\C\Documents and Settings\Inna Zatulovsky\x.dat.vir

C:\Qoobox\quarantine\C\Documents and Settings\Inna Zatulovsky\z.dat.vir

C:\Qoobox\quarantine\C\n.bat.vir

 

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.

The cab file will be called requested-files[*].cab (the * stands for the date and hour).

Then click the Send File button below.

 

Then, after you performed above...

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Then, as a final check.. * Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Share this post


Link to post
Share on other sites

Hi,

 

Extra note...

I've received the file you submitted and I recommend you change ALL your passwords asap! Because they are currently known.

Share this post


Link to post
Share on other sites

Hi,

 

Can you send me your mailaddress via PM please? Because the other files you uploaded contain ALL your passwords and login names..; even for your paypal, amazon and all the other sites you have been visiting where you need a password.

I need your mail, so I can send you the txtfiles, so you can see which passwords you have to change and where.

 

Edit - I already know your mailaddress, could find it in the files, including your password. ;)

Can you tell me if this is your current working mailaddress?: inna1 AT sbcglobal.net ?

This because I see a lot of other mailaddresses there as well, most probably also obsolete ones. So please let me know, so I can send you the files, because this is really important.

Share this post


Link to post
Share on other sites

Thngs seem to br OK now - THANKS ! Howevre ESET log still shows over 4,000 threats (see attached) - what should be done at this point ?

 

Hi,

 

Navigate to and delete the following file:

 

C:\WINDOWS\SYSTEM32\pmnomml.dll

 

Well, then I hope they will be faster in adding detection, because I sent them the file C:\WINDOWS\Fonts\svchost.exe more than a week ago and it appears that they still aren't detecting it yet. The first couple of mails I received back from them was to tell me that there was no malicious content in that file. Then I asked to review it, but didn't receive anything back yet. It would be a pity if they are still thinking this file is OK/harmless.

 

Anyway, Combofix removed it. ;)

 

The rest of your logs look OK.

 

FIRST Step..

 

* Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

 

Paste the following bold part into the Suspicious File Packer window:

 

C:\Qoobox\quarantine\C\Documents and Settings\Inna Zatulovsky\x.dat.vir

C:\Qoobox\quarantine\C\Documents and Settings\Inna Zatulovsky\z.dat.vir

C:\Qoobox\quarantine\C\n.bat.vir

 

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.

The cab file will be called requested-files[*].cab (the * stands for the date and hour).

Then click the Send File button below.

 

Then, after you performed above...

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /u

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Then, as a final check.. * Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

log.txt

Edited by LS CalamityJane
snipped log to reduce file size (original text file was 6.67 mb ! )

Share this post


Link to post
Share on other sites

Yes, "inna1" is a correct address...

 

 

Hi,

 

Can you send me your mailaddress via PM please? Because the other files you uploaded contain ALL your passwords and login names..; even for your paypal, amazon and all the other sites you have been visiting where you need a password.

I need your mail, so I can send you the txtfiles, so you can see which passwords you have to change and where.

 

Edit - I already know your mailaddress, could find it in the files, including your password. ;)

Can you tell me if this is your current working mailaddress?: inna1 AT sbcglobal.net ?

This because I see a lot of other mailaddresses there as well, most probably also obsolete ones. So please let me know, so I can send you the files, because this is really important.

Share this post


Link to post
Share on other sites

Hi,

 

I already thought that this fonts\' folder was there, that's why I asked you to run the eset online scan.

I don't know if you selected to delete what NOD32 found, but do next please..

 

Open notepad and copy and paste next present in the quotebox in it:

 

cd %windir%\fonts

if exist ' rd /q /s '

Save this as delete.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and let if perform its job.

 

Delete next file:

 

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974.zip

 

Clear your Java cache:

Clearing Java Cache:

  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Settings button.
  • Click the Delete Files... button below. Make sure next are checked:
      Applications and Applets
      Trace and Log Files

    [*]Click OK on Delete Temporary Files Window.

     

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

I'm going to send you a mail with the textfiles attached with all your passwords which are known, so make sure you change them all.

 

Afterwards, perform a new scan with Eset and post the log in your next reply.

Share this post


Link to post
Share on other sites

Here is the new ESET scan. Also, I have not received a file with passwords from you as of yet...

 

version=4

# OnlineScanner.ocx=1.0.0.56

# OnlineScannerDLLA.dll=1, 0, 0, 51

# OnlineScannerDLLW.dll=1, 0, 0, 51

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=2661 (20071115)

# vers_arch_module=1.059 (20071108)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=edc7fbcfeb0c15499a43cb54d3138964

# end=finished

# remove_checked=false

# unwanted_checked=true

# utc_time=2007-11-15 08:23:23

# local_time=2007-11-15 12:23:23 (-0800, Pacific Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=258121

# found=10

# scan_time=4027

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip multiple infiltrations 7A0DFCB5F4857323B436CFFE04C4A337

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip »ZIP »Gummy.class Java/Bytverify trojan 00000000000000000000000000000000

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip »ZIP »Beyond.class a variant of Java/ClassLoader.K trojan 00000000000000000000000000000000

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Crack.exe probably a variant of Win32/Agent trojan D6501BB075B2B80F0ADFBB7BB8CA42A7

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan C774B425A5C12405AC860BD73DD2B4F1

C:\RECYCLER\S-1-5-21-686895051-864744168-116612396-1007\Dc3.zip multiple infiltrations 88AFC5DF08056F56C4B053177F941B65

C:\RECYCLER\S-1-5-21-686895051-864744168-116612396-1007\Dc3.zip »ZIP »Crack.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000

C:\RECYCLER\S-1-5-21-686895051-864744168-116612396-1007\Dc3.zip »ZIP »Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan 00000000000000000000000000000000

C:\WINDOWS\Fonts\a.zip probably a variant of Win32/TrojanDropper.VB.NAI trojan DE73C33C05B66EE916B33819640DFCA4

C:\WINDOWS\Fonts\a.zip »ZIP »Setup.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan 00000000000000000000000000000000

 

 

 

 

Hi,

 

I already thought that this fonts\' folder was there, that's why I asked you to run the eset online scan.

I don't know if you selected to delete what NOD32 found, but do next please..

 

Open notepad and copy and paste next present in the quotebox in it:

Save this as delete.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and let if perform its job.

 

Delete next file:

 

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974.zip

 

Clear your Java cache:

Clearing Java Cache:

  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Settings button.
  • Click the Delete Files... button below. Make sure next are checked:
    • Applications and Applets
      Trace and Log Files

    [*]Click OK on Delete Temporary Files Window.

     

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

I'm going to send you a mail with the textfiles attached with all your passwords which are known, so make sure you change them all.

 

Afterwards, perform a new scan with Eset and post the log in your next reply.

Share this post


Link to post
Share on other sites

Hi,

 

Navigate to and delete next files:

 

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Crack.exe

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Setup.exe

C:\WINDOWS\Fonts\a.zip

 

Did you perform the step with Cleaning the Java cache?

 

Also, I have not received a file with passwords from you as of yet...
I did send it though.. anyway I'll send you a pm instead.

Share this post


Link to post
Share on other sites

By the way, from what I've read here - your infection actually all started with the crack you downloaded for Photodex ProShow Producer. Because you unzipped it and ran it... and the problems started.

So I really hope you have learned from this and will stay away from illegal sites/software from now on, because that's where malware is lurking anyway.

This time we could luckily fix it, but there may be a next time that we won't be able to fix it and a format and reinstall would be the only solution.

So is it really worth it? Get illegal software for "free", but compromise/break your computer instead and all your passwords are known.... :)

Share this post


Link to post
Share on other sites

Yes, cleaned the Java cache.

 

Here is the latest ESET log - still 5 threats...

 

 

# version=4

# OnlineScanner.ocx=1.0.0.56

# OnlineScannerDLLA.dll=1, 0, 0, 51

# OnlineScannerDLLW.dll=1, 0, 0, 51

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=2661 (20071115)

# vers_arch_module=1.059 (20071108)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=edc7fbcfeb0c15499a43cb54d3138964

# end=finished

# remove_checked=false

# unwanted_checked=true

# utc_time=2007-11-16 12:37:09

# local_time=2007-11-15 04:37:09 (-0800, Pacific Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=258166

# found=5

# scan_time=3627

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip multiple infiltrations 7A0DFCB5F4857323B436CFFE04C4A337

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip »ZIP »Gummy.class Java/Bytverify trojan 00000000000000000000000000000000

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip »ZIP »Beyond.class a variant of Java/ClassLoader.K trojan 00000000000000000000000000000000

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1188\A0074536.exe probably a variant of Win32/Agent trojan D6501BB075B2B80F0ADFBB7BB8CA42A7

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1188\A0074537.exe probably a variant of Win32/TrojanDropper.VB.NAI trojan C774B425A5C12405AC860BD73DD2B4F1

 

 

Hi,

 

Navigate to and delete next files:

 

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Crack.exe

C:\Documents and Settings\Inna Zatulovsky\Shared\Photodex ProShow Producer v3.0.1974\Setup.exe

C:\WINDOWS\Fonts\a.zip

 

Did you perform the step with Cleaning the Java cache?

 

I did send it though.. anyway I'll send you a pm instead.

Share this post


Link to post
Share on other sites

Hi,

 

It looks like you have to delete the file manually, so navigate to and delete next file:

 

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip

 

Flush your system restore points:

To do this, you have to disable systemrestore and enable it afterwards again.

(note: this will delete all your system restore points and malware that were present in it).

 

How to disable system restore in XP <= click me for instructions with screenshots

After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :)

 

Let me know afterwards how things are now. Also, did you already change your passwords? (the ones I sent you)?

Share this post


Link to post
Share on other sites

Did as you have instructed, reran ESET - NO THREATS FOUND !!!!! Thank you so much !!! Let me know if you ever visit Californa - will be delighted to meet you and show you around !!!

 

And yes, I have changed all my passwords...

 

Hi,

 

It looks like you have to delete the file manually, so navigate to and delete next file:

 

C:\Documents and Settings\Inna Zatulovsky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-531e248-6adb3398.zip

 

Flush your system restore points:

To do this, you have to disable systemrestore and enable it afterwards again.

(note: this will delete all your system restore points and malware that were present in it).

 

How to disable system restore in XP <= click me for instructions with screenshots

After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! ;)

 

Let me know afterwards how things are now. Also, did you already change your passwords? (the ones I sent you)?

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Symantec has now included detections for the following 4 files in the CERTIFIED definitions beginning Monday the 19th

More info:

Symantec detections now id ALL

 

-----Original Message-----

From: [email protected] [mailto:[email protected]]

Sent: Monday, November 19, 2007 10:39 AM

To: amysheehan AT dslr.net

Subject: [CLOSING]: Symantec Security Response Automation: Tracking #9283020

 

This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.

Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.

 

Below is a status update on your virus submission:

 

Date: November 19, 2007

 

Dear Amy,

 

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

 

filename: Crack.exe.zip

machine: AVCAutomation:

result: See the developer notes

 

filename: Crack.exe

machine: AVCAutomation:

result: This file is detected as Backdoor.IRC.Bot. »www.symantec.com/avcenter/venc/d···bot.html

 

filename: Setup.exe.zip

machine: AVCAutomation:

result: See the developer notes

 

filename: Setup.exe

machine: AVCAutomation:

result: This file is detected as Backdoor.IRC.Bot. »www.symantec.com/avcenter/venc/d···bot.html

 

filename: svchost.exe.zip

machine: AVCAutomation:

result: See the developer notes

 

filename: svchost.exe

machine: AVCAutomation:

result: This file is detected as Downloader. »www.symantec.com/avcenter/venc/d···der.html

 

filename: winlogon.exe.zip

machine: AVCAutomation:

result: See the developer notes

 

filename: winlogon.exe

machine: AVCAutomation:

result: This file is detected as Infostealer. »www.symantec.com/avcenter/venc/d···ler.html

 

Developer notes:

Crack.exe.zip is an infected container file of type ZIP Crack.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions. This file is contained by Crack.exe.zip Setup.exe.zip is an infected container file of type ZIP Setup.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions. This file is contained by Setup.exe.zip svchost.exe.zip is an infected container file of type ZIP svchost.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions. This file is contained by svchost.exe.zip winlogon.exe.zip is an infected container file of type ZIP winlogon.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions. This file is contained by winlogon.exe.zip

 

The current definitions are capable of detecting this virus. Please update your definitions by clicking the "LiveUpdate" button in your NAV program.

 

Should you have any questions about your submission, please contact your regional technical support from the Symantec website and give them the tracking number in the subject of this message.

 

-----------------------------------------------------------------------

This message was generated by Symantec Security Response automation.

 

 

 

>>>>>>>>>>>

Please contact me if you find another file for submission or any additional help/ advice with this issue.

Amy Sheehan

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. ;)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this