Jump to content

Antimodez

Members
  • Posts

    8
  • Joined

  • Last visited

Everything posted by Antimodez

  1. Seems good now. Thanks a lot for the help - and speedy replies.
  2. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:50, on 2009-01-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Pfx Engagement\Common\PFXEngDesktopService.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Pfx Engagement\Common\PFXSYNPFTService.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\MMTaskbar\MultiMon.exe C:\Pfx Engagement\WM\PfxPDFConvertService.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe O4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172204464531 O16 - DPF: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} (WebForm Launch Server) - http://files.stf.com/Downloads/WebFormServer_v3.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\Software\..\Telephony: DomainName = swllpfw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swllpfw.com O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exe O23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 6945 bytes
  3. We have a network here which connects to our main office in Fort Worth. SW, LLP Fort Worth is what I'm betting it is. Should I run HJT on the guys computer next to me to confirm that?
  4. ComboFix 09-01-13.04 - ccurrier 2009-01-14 13:23:53.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.633 [GMT -6:00] Running from: c:\documents and settings\ccurrier\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\ccurrier\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: C:\VirtumundoBeGone.exe c:\windows\saynrxglvs.dat c:\windows\system32\MSvlnyayvg.dll c:\windows\system32\rn.tmp c:\windows\Tasks\hsnmiyiv.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\VirtumundoBeGone.exe C:\VundoFix Backups c:\windows\saynrxglvs.dat c:\windows\system32\MSvlnyayvg.dll c:\windows\system32\rn.tmp c:\windows\Tasks\hsnmiyiv.job . ((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 ))))))))))))))))))))))))))))))) . 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\SUPERAntiSpyware.com 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-13 11:46 . 2009-01-13 11:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-13 10:56 . 2009-01-13 10:56 <DIR> d-------- c:\program files\CCleaner 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Malwarebytes 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-13 09:49 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-13 09:49 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-13 08:06 . 2009-01-13 08:06 <DIR> d-------- c:\program files\Trend Micro 2009-01-12 13:38 . 2009-01-12 13:37 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-12 13:25 . 2009-01-12 13:25 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Leadertech 2009-01-12 10:54 . 2009-01-12 11:27 <DIR> d-------- c:\program files\Spyware Doctor 2009-01-12 10:54 . 2009-01-12 11:25 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-01-09 14:18 . 2009-01-09 14:18 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Media Player Classic 2009-01-09 13:57 . 2009-01-09 13:58 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\dvdcss 2009-01-09 13:55 . 2009-01-09 13:55 <DIR> d-------- c:\program files\VideoLAN 2009-01-09 09:32 . 2009-01-09 15:16 153 --a------ c:\windows\wininit.ini 2009-01-08 17:00 . 2009-01-09 11:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-08 17:00 . 2009-01-13 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-12 19:37 --------- d-----w c:\program files\Java 2009-01-12 17:55 --------- d-----w c:\documents and settings\ccurrier\Application Data\Move Networks 2009-01-12 17:52 --------- d-----w c:\documents and settings\ccurrier\Application Data\ICAClient 2009-01-09 20:10 --------- d-----w c:\program files\Google 2009-01-09 13:20 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-01-08 22:24 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-31 15:37 --------- d-----w c:\documents and settings\ccurrier\Application Data\gtk-2.0 2008-12-03 19:48 --------- d-----w c:\program files\Best Software 2008-12-02 15:15 --------- d-----w c:\program files\IrfanView 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2007-02-26 294912] PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2007-10-24 184320] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6735:TCP"= 6735:TCP:Desktopsyncservice "2029:TCP"= 2029:TCP:MSSQLPROFXENGAGEMENT "6736:TCP"= 6736:TCP:Pfxsynpfxservice "1434:UDP"= 1434:UDP:SQL UDP R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] R4 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224] R4 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [2007-10-24 335872] R4 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [2007-10-24 348160] R4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608] S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2007-02-16 247296] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI7 . . ------- Supplementary Scan ------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:30, on 2009-01-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Pfx Engagement\Common\PFXEngDesktopService.exe C:\Pfx Engagement\Common\PFXSYNPFTService.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Pfx Engagement\WM\PfxPDFConvertService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe O4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172204464531 O16 - DPF: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} (WebForm Launch Server) - http://files.stf.com/Downloads/WebFormServer_v3.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\Software\..\Telephony: DomainName = swllpfw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swllpfw.com O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exe O23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 6678 bytes
  5. Here's the combofix log: ComboFix 09-01-13.04 - ccurrier 2009-01-14 11:52:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.602 [GMT -6:00] Running from: c:\documents and settings\ccurrier\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\actxcp.dll c:\windows\system32\ikclpxyi.dll c:\windows\system32\ixkgatqx.dll c:\windows\system32\loyapled.ini c:\windows\system32\olpklytk.ini c:\windows\system32\ovduindg.ini c:\windows\system32\rqqnuo.dll c:\windows\system32\swkmpv.dll c:\windows\system32\tdckba.dll c:\windows\system32\tmp.reg c:\windows\system32\ulimtlwb.ini c:\windows\system32\vnjsxdym.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 ))))))))))))))))))))))))))))))) . 2009-01-13 16:22 . 2009-01-13 16:22 904,192 --a------ c:\windows\system32\rn.tmp 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\SUPERAntiSpyware.com 2009-01-13 11:47 . 2009-01-13 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-13 11:46 . 2009-01-13 11:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-13 10:56 . 2009-01-13 10:56 <DIR> d-------- c:\program files\CCleaner 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Malwarebytes 2009-01-13 09:49 . 2009-01-13 09:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-13 09:49 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-13 09:49 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-13 08:06 . 2009-01-13 08:06 <DIR> d-------- c:\program files\Trend Micro 2009-01-12 13:38 . 2009-01-12 13:37 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-12 13:25 . 2009-01-12 13:25 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Leadertech 2009-01-12 11:12 . 2009-01-12 11:12 96,978 --a------ C:\VirtumundoBeGone.exe 2009-01-12 10:54 . 2009-01-12 11:27 <DIR> d-------- c:\program files\Spyware Doctor 2009-01-12 10:54 . 2009-01-12 11:25 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-01-12 10:27 . 2009-01-12 10:27 <DIR> d-------- C:\VundoFix Backups 2009-01-09 14:18 . 2009-01-09 14:18 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\Media Player Classic 2009-01-09 13:57 . 2009-01-09 13:58 <DIR> d-------- c:\documents and settings\ccurrier\Application Data\dvdcss 2009-01-09 13:55 . 2009-01-09 13:55 <DIR> d-------- c:\program files\VideoLAN 2009-01-09 09:32 . 2009-01-09 15:16 153 --a------ c:\windows\wininit.ini 2009-01-08 17:00 . 2009-01-09 11:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-08 17:00 . 2009-01-13 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-12 19:37 --------- d-----w c:\program files\Java 2009-01-12 17:55 --------- d-----w c:\documents and settings\ccurrier\Application Data\Move Networks 2009-01-12 17:52 --------- d-----w c:\documents and settings\ccurrier\Application Data\ICAClient 2009-01-09 20:10 --------- d-----w c:\program files\Google 2009-01-09 13:20 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-01-08 22:24 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-31 15:37 --------- d-----w c:\documents and settings\ccurrier\Application Data\gtk-2.0 2008-12-03 19:48 --------- d-----w c:\program files\Best Software 2008-12-02 15:15 --------- d-----w c:\program files\IrfanView 2007-05-13 19:53 621 --sha-r c:\windows\saynrxglvs.dat 2007-05-13 19:53 621 --sha-r c:\windows\system32\MSvlnyayvg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2007-02-26 294912] PfxPDFConvertService.exe.lnk - c:\pfx engagement\WM\PfxPDFConvertService.exe [2007-10-24 184320] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=rqqnuo.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6735:TCP"= 6735:TCP:Desktopsyncservice "2029:TCP"= 2029:TCP:MSSQLPROFXENGAGEMENT "6736:TCP"= 6736:TCP:Pfxsynpfxservice "1434:UDP"= 1434:UDP:SQL UDP R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408] R4 MSSQL$PROFXENGAGEMENT;SQL Server (PROFXENGAGEMENT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224] R4 PFXEngDesktopService;PFXEngDesktopService;c:\pfx engagement\Common\PFXEngDesktopService.exe [2007-10-24 335872] R4 PFXSYNPFTService;PFXSYNPFTService;c:\pfx engagement\Common\PFXSYNPFTService.exe [2007-10-24 348160] R4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608] S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2007-02-16 247296] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI7 . Contents of the 'Scheduled Tasks' folder 2009-01-14 c:\windows\Tasks\hsnmiyiv.job - c:\windows\system32\rundll32.exe [2004-08-04 04:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 c:\windows\Downloaded Program Files\WebFormServer.dll - O16 -: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} hxxp://files.stf.com/Downloads/WebFormServer_v3.cab c:\windows\Downloaded Program Files\default.inf FF - ProfilePath - c:\documents and settings\ccurrier\Application Data\Mozilla\Firefox\Profiles\kb39qvk5.default\ FF - prefs.js: browser.startup.homepage - hxxp://sojaded.org/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-14 13:06:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(568) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Citrix\ICA Client\ssonsvr.exe c:\program files\Symantec AntiVirus\DoScan.exe . ************************************************************************** . Completion time: 2009-01-14 13:10:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-14 19:10:46 Pre-Run: 15,340,175,360 bytes free Post-Run: 16,356,810,752 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 178 --- E O F --- 2008-12-18 23:02:57 ...and the HJT log (post combofix): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:11, on 2009-01-14 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Pfx Engagement\Common\PFXEngDesktopService.exe C:\Pfx Engagement\Common\PFXSYNPFTService.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Pfx Engagement\WM\PfxPDFConvertService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe O4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172204464531 O16 - DPF: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} (WebForm Launch Server) - http://files.stf.com/Downloads/WebFormServer_v3.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\Software\..\Telephony: DomainName = swllpfw.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swllpfw.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swllpfw.com O20 - AppInit_DLLs: rqqnuo.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exe O23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 6921 bytes
  6. Here are the steps taken thus far. Originally I had Smitfraud.c, Vundo and MS Juan all popping up, along with a plethora of tracking cookies via MBAM. I rebooted to Safe mode with Networking. I ran MBAM and CCleaner. Rebooted again, and all 3 were found. I ran HJT and manually removed the Smitfraud.C. The other two still persist. As per request (after posting in the wrong forum) here is the MBAM log complete seconds ago. Malwarebytes' Anti-Malware 1.32Database version: 1648Windows 5.1.2600 Service Pack 2 1/14/2009 11:30:29 AMmbam-log-2009-01-14 (11-30-29).txt Scan type: Quick ScanObjects scanned: 89406Time elapsed: 16 minute(s), 40 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)And here is the HJT log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:34:34, on 1/14/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exeC:\Program Files\Citrix\ICA Client\ssonsvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\nvsvc32.exeC:\Pfx Engagement\Common\PFXEngDesktopService.exeC:\Program Files\Messenger\msmsgs.exeC:\Pfx Engagement\Common\PFXSYNPFTService.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\MMTaskbar\MultiMon.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Pfx Engagement\WM\PfxPDFConvertService.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exeO4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172204464531O16 - DPF: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} (WebForm Launch Server) - http://files.stf.com/Downloads/WebFormServer_v3.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swllpfw.comO17 - HKLM\Software\..\Telephony: DomainName = swllpfw.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swllpfw.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swllpfw.comO20 - AppInit_DLLs: rqqnuo.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exeO23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe --End of file - 6495 bytesPrograms say they delete it, but it keeps coming back. I have tried (all in safe mode): FixVundo, VirtumondoBeGone, VundoFix, MBAM, Spybot S&D, and SUPERAntiPyware. All to no avail. Thanks in advance.
  7. This is a little convoluted. What I mean is everything else is gone. The only items which still persist, even upon removal are the 4 registry entries I listed.
  8. I have been slowly regaining control of my system at work, after I was infected by Smitfraud.C, Virtumonde and now MS Juan. These are the steps taken thus far: DL and Run Malwarebytes in Safe mode. It located and attemped to remove Smit, Vundo and MS Juan, along with other things in the process. Rebooted, and all 3 were found again. I ran CCleaner and wiped the cookies and bad registry entries. I then ran HJT and manually deleted the Smitfraud.C lines. Smitfraud is now gone, and all traces of Vundo.trojan are gone using SuperAntiSpyware in safe mode. All the programs are still finding it, quarantining and deleting, but they reappear. The only thing that remains are registry entries of: MS Juan MS Juan #Rid MS Track System MS Track System #Uid Here is the HJT log. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:09:34, on 1/14/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exeC:\Program Files\Citrix\ICA Client\ssonsvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Symantec AntiVirus\DoScan.exeC:\Pfx Engagement\Common\PFXEngDesktopService.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\Messenger\msmsgs.exeC:\Pfx Engagement\Common\PFXSYNPFTService.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\MMTaskbar\MultiMon.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Pfx Engagement\WM\PfxPDFConvertService.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exeO4 - Global Startup: PfxPDFConvertService.exe.lnk = C:\Pfx Engagement\WM\PfxPDFConvertService.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172204464531O16 - DPF: {7279DAF9-31ED-45D6-8CDA-E11A0D24956C} (WebForm Launch Server) - http://files.stf.com/Downloads/WebFormServer_v3.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = swllpfw.comO17 - HKLM\Software\..\Telephony: DomainName = swllpfw.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = swllpfw.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = swllpfw.comO20 - AppInit_DLLs: rqqnuo.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PFXEngDesktopService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXEngDesktopService.exeO23 - Service: PFXSYNPFTService - CCH Tax and Accounting - C:\Pfx Engagement\Common\PFXSYNPFTService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe --End of file - 6565 bytesAny help is appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.