Jump to content

system configuration backup


Recommended Posts

Does my system have a trojan or is it ok?

system configuration backup is coming up as a trojan and the file associated with this in the registry (sysdate.exe) seems to be bad. sysdate.exe is nowhere on my system as I deleted everything from c:\recycler.

Anti-malware finds a registry entry infected but will not delete it.

Here's my anit-malware logfile and hijackthis logfile:

Malwarebytes' Anti-Malware 1.34

Database version: 1837

Windows 5.1.2600 Service Pack 2

13/03/2009 12:37:55 AM

mbam-log-2009-03-13 (00-37-54).txt

Scan type: Quick Scan

Objects scanned: 74622

Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system configuration backup (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:11 AM, on 13/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PRISMSVC.EXE

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Logitech\Profiler\lwemon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-choice.com.cy/user_site.asp

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {5D7C8712-AAB5-4766-8E18-DC9A84F564E5} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe

O4 - HKCU\..\Run: [start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [bitComet] "C:\Program Files\BitComet\BitComet.exe" /tray

O4 - HKCU\..\Run: [system configuration backup] C:\RECYCLER\S-1-5-21-8837846407-3411793962-273322305-3591\sysdate.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} -

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

Please uninstall your Peer2Peer Torrent file sharing software if you want us to assist you. These programs can infect the box faster then we can clean them so it's a waste of time to work on it till you've removed them.

Then run this please.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Hi.

Here's the logfile and the zipped attach file.

DDS (Ver_09-02-01.01) - NTFSx86

Run by Harry at 19:50:10.93 on Fri 13/03/2009

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1418 [GMT 2:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PRISMSVC.EXE

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\System32\snmp.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Logitech\Profiler\lwemon.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\Harry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.i-choice.com.cy/user_site.asp

uInternet Settings,ProxyOverride = <local>

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: {140BD8E3-C167-11D4-B4A3-080000180323} - No File

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: {5D7C8712-AAB5-4766-8E18-DC9A84F564E5} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: BrowserHelper Class: {ebcdda60-2a68-11d3-8a43-0060083cfb9c} - c:\windows\system32\nzdd.dll

TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [system configuration backup] c:\recycler\s-1-5-21-8837846407-3411793962-273322305-3591\sysdate.exe

uRunOnce: [Ad Muncher Reboot Required]

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP

mRunOnce: [Cleanup] C:\cleanup.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE

StartupFolder: c:\docume~1\harry\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Download all links with IDM

IE: Download FLV video content with IDM

IE: Download linked FLV with GetFLV - c:\program files\getflv\iemenu\DownloadLinkFLV.htm

IE: Download with IDM

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: PRISMAPI.DLL - PRISMAPI.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-7-31 821856]

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-7-31 4224]

R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-7-31 27776]

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-7-31 10760]

R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-7-31 418816]

R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-7-31 49664]

R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-7-31 406528]

R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-7-31 4960]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-5-28 61526]

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-7-11 14976]

R3 MaplomL;MaplomL;c:\windows\system32\drivers\maploml.sys [2008-8-23 36288]

S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2006-7-5 371349]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-7-21 2560]

S3 asbp2poa;asbp2poa;\??\c:\docume~1\harry\locals~1\temp\asbp2poa.sys --> c:\docume~1\harry\locals~1\temp\asbp2poa.sys [?]

=============== Created Last 30 ================

2009-03-11 23:55 <DIR> --d----- C:\cmdcons

2009-03-11 23:54 161,792 a------- c:\windows\SWREG.exe

2009-03-11 23:54 98,816 a------- c:\windows\sed.exe

2009-03-11 22:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-03-11 22:16 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-03-11 22:16 <DIR> --d----- c:\docume~1\harry\applic~1\SUPERAntiSpyware.com

2009-03-11 20:56 <DIR> --d----- C:\autoruns

2009-03-11 01:16 <DIR> --d----- c:\docume~1\harry\applic~1\Malwarebytes

2009-03-11 01:16 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-11 01:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 01:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 01:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-03-11 01:01 54,472 a------- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx

2009-03-11 01:01 54,472 a------- c:\windows\system32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx

2009-03-11 01:01 788 a------- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx

2009-03-10 03:41 <DIR> --d----- C:\New Folder (2)

2009-03-10 02:55 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll

2009-03-10 02:55 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-03-10 02:55 17,408 a------- c:\windows\system32\dllcache\xrxscnui.dll

2009-03-10 02:55 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe

2009-03-10 02:53 35,871 a------- c:\windows\system32\dllcache\wbfirdma.sys

2009-03-10 02:52 113,762 a------- c:\windows\system32\dllcache\usrpda.sys

2009-03-10 02:51 216,064 a------- c:\windows\system32\dllcache\um34scan.dll

2009-03-10 02:50 81,408 a------- c:\windows\system32\dllcache\tgiul50.dll

2009-03-10 02:49 48,736 a------- c:\windows\system32\dllcache\srwlnd5.sys

2009-03-10 02:48 45,568 a------- c:\windows\system32\dllcache\smb3w.dll

2009-03-10 02:47 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys

2009-03-10 02:46 210,496 a------- c:\windows\system32\dllcache\s3mvirge.dll

2009-03-10 02:45 20,736 a------- c:\windows\system32\dllcache\ramdisk.sys

2009-03-10 02:40 482,304 a------- c:\windows\system32\dllcache\pintlgnt.ime

2009-03-10 02:40 175,104 a------- c:\windows\system32\dllcache\pintlcsa.dll

2009-03-10 02:40 70,144 a------- c:\windows\system32\dllcache\pintlphr.exe

2009-03-10 02:40 53,760 a------- c:\windows\system32\dllcache\pintlcsd.dll

2009-03-10 02:40 121,344 a------- c:\windows\system32\dllcache\phvfwext.dll

2009-03-10 02:40 79,360 a------- c:\windows\system32\dllcache\phon.ime

2009-03-10 02:40 19,840 a------- c:\windows\system32\dllcache\philtune.sys

2009-03-10 02:40 92,416 a------- c:\windows\system32\dllcache\phildec.sys

2009-03-10 02:40 173,696 a------- c:\windows\system32\dllcache\philcam2.sys

2009-03-10 02:38 54,186 a------- c:\windows\system32\dllcache\otcsercb.sys

2009-03-10 02:37 27,936 a------- c:\windows\system32\dllcache\n9i3d.sys

2009-03-10 02:36 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys

2009-03-10 02:35 58,880 a------- c:\windows\system32\dllcache\m3092dc.dll

2009-03-10 02:34 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll

2009-03-10 02:33 20,480 a------- c:\windows\system32\dllcache\icam5ext.dll

2009-03-10 02:32 199,711 a------- c:\windows\system32\dllcache\hsf_faxx.sys

2009-03-10 02:31 17,408 a------- c:\windows\system32\dllcache\gpr400.sys

2009-03-10 02:30 137,088 a------- c:\windows\system32\dllcache\essm2e.sys

2009-03-10 02:29 8,704 a------- c:\windows\system32\dllcache\dot4scan.sys

2009-03-10 02:28 27,648 a------- c:\windows\system32\dllcache\cyyports.dll

2009-03-10 02:27 195,618 a------- c:\windows\system32\dllcache\c_10002.nls

2009-03-10 02:26 10,880 a------- c:\windows\system32\dllcache\admjoy.sys

2009-03-09 22:29 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys

2009-03-09 22:17 <DIR> --d----- c:\program files\K-Lite Codec Pack

2009-03-09 20:14 15,688 a------- c:\windows\system32\lsdelete.exe

2009-03-09 05:58 64,160 a------- c:\windows\system32\drivers\Lbd.sys

2009-03-09 05:58 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-03-09 04:26 2,148 a------- c:\windows\system32\wpa.dbl

2009-03-08 17:25 <DIR> --d----- c:\program files\Super Internet TV

2009-03-08 03:48 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}(2)

2009-03-07 22:48 3 a------- c:\windows\system32\bactname

2009-03-07 18:58 <DIR> --d----- c:\program files\Trend Micro

2009-02-24 23:05 <DIR> --d----- C:\Heroes of Might and Magic III Complete

2009-02-22 20:21 <DIR> --d----- c:\program files\vSoft

2009-02-22 20:13 1,772,288 a------- c:\docume~1\harry\applic~1\Integrator.exe

2009-02-12 17:30 <DIR> --d----- c:\program files\vanBasco's Karaoke Player

==================== Find3M ====================

2009-03-01 17:47 139,152 a------- c:\docume~1\harry\applic~1\GDIPFONTCACHEV1.DAT

2009-02-10 22:12 796,672 a------- c:\windows\GPInstall.exe

2009-02-09 20:56 67,584 a------- c:\windows\system32\ff_vfw.dll

2009-01-28 19:06 98,304 a------- c:\windows\system32\CmdLineExt.dll

2008-12-24 17:18 1,969 a------- c:\windows\system32\mmf.sys

2008-12-22 15:48 2,396 a------- c:\windows\eReg.dat

2008-12-01 19:16 88 a--shr-- c:\docume~1\alluse~1\applic~1\BF835C99C3.sys

2008-12-01 19:16 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2008-08-23 19:39 94,208 a------- c:\docume~1\harry\applic~1\ezplay.sys

2008-08-23 19:38 47,360 a------- c:\docume~1\harry\applic~1\pcouffin.sys

2008-06-17 19:28 38 a------- c:\documents and settings\harry\A.BAT

1999-09-26 15:25 589,824 a------- c:\documents and settings\harry\VOBMerger.exe

2008-03-10 04:06 66,936 a--sh--- c:\windows\dlinfo_0.drv

2006-11-08 21:14 104 ---shr-- c:\windows\system32\C3995C83BF.sys

============= FINISH: 19:50:34.64 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

  • Root Admin

All of these programs are OLD and either have or may have exploited code. You should remove them and update to current versions if possible when we're done.

Adobe Acrobat - Reader 6.0.2 Update

Adobe Acrobat and Reader 6.0.3 Update

Adobe Acrobat and Reader 6.0.4 Update

Adobe Acrobat and Reader 6.0.5 Update

Adobe Acrobat and Reader 6.0.6 Update

Adobe Flash Player ActiveX

Adobe Flash Player Plugin

Adobe Reader 6.0.1

Macromedia Flash 5

Macromedia Flash Player 8

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

This Anti-Virus AVG 7.5 is old and should be updated to version 8 or another AV application.

STEP 01

These are exploited and MUST be removed now

J2SE Runtime Environment 5.0 Update 6

Java 2 Runtime Environment, SE v1.4.2_03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 02

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

STEP 04

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.