Jump to content

Recommended Posts

First posted with detail here http://www.malwarebytes.org/forums/index.p...amp;#entry89701

First log from Malwarebytes

Malwarebytes' Anti-Malware 1.37

Database version: 2271

Windows 5.1.2600 Service Pack 2

13/06/2009 17:30:27

mbam-log-2009-06-13 (17-30-27).txt

Scan type: Quick Scan

Objects scanned: 99762

Time elapsed: 20 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\rock the murdoc.dat (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Andrews\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

N.B. Murdoc.dat is probably something from a Gorillaz dvd screensaver that did not get deleted.

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:25:58, on 14/06/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Security Task Manager\SpyProtector.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Novosoft\Handy Backup\hbagent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Belkin Bulldog Plus\MUPS.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [sonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart

O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKCU\..\Run: [Handy Backup 6.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HotSync Manager.lnk.disabled

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...MetaStream3.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...030/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Dc20xin - Intel Corporation - C:\WINDOWS\system32\drivers\a305.sys

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 8978 bytes

Thanking you in anticipation :)

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Here they are.

Infection would have arrived 11/6/2009 at about 01:00 CET.

Also ran MS Rootkit revealer which came up clear.

Services exe process has given up on the MS/Google/Yahoo/AOL destinations and is now trying to access, for example:

208.109.238.10 secureserver.net

69.162.108.90 reverse.lstn.net

69.175.7.90 webhostingextreme.com

Attach.txt

DDS.txt

Attach.txt

DDS.txt

Link to post
Share on other sites

Please download the OTM.exe by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :processesexplorer.exe:filesc:\windows\system32\drivers\ppwyzc.sys:servicesmculbCotradpensbdScarksbmewdUppinoWpi480piwParcafrwfrvVolsentf:commands[emptytemp][start explorer]


  • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Click Ok to allow OTM reboot your machine.
  • After reboot, a log file will appear. Copy the contents to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Link to post
Share on other sites

New data

I have had Security Task Manager (Neuber software) running all day looking for what is trying to access the Net and network via sevices.exe, as well as getting scans of various files.

The daily avg run reported two viruses

Documents and settings\All Users\Application Data\SecTaskMan\_cdrbsdrv245434FF Virus found Lop

Documents and settings\All Users\Application Data\SecTaskMan\_hidusb20262580 Virus found Lop

As neither of these show up in the directory when I looked, I thought it possible that avg caught these things while they were active and being logged by Sec Task Mnger. avg is still running so it has not tried to quarantine yet.

Link to post
Share on other sites

Did you follow my instructions.

Was writing my post as you posted, then switched screen off and hit the sack. Have now followed your steps above...

Error: Unable to interpret <processes> in the current context!

Error: Unable to interpret <explorer.exe> in the current context!

========== FILES ==========

File/Folder c:\windows\system32\drivers\ppwyzc.sys not found.

========== SERVICES/DRIVERS ==========

Service\Driver mculb deleted successfully.

Service\Driver Cotradpensbd deleted successfully.

Service\Driver Scarksbmewd deleted successfully.

Service\Driver Uppino deleted successfully.

Service\Driver Wpi480piw deleted successfully.

Service\Driver Parcafrwfrv deleted successfully.

Service\Driver Volsentf deleted successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Andrews\LOCALS~1\Temp\etilqs_dTm8q1sNcBVmqfgIJuCd scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\Andrews\LOCALS~1\Temp\~DFA45E.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

User's Temporary Internet Files folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Network Service Temp folder emptied.

File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Network Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\ZLT05434.TMP scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

Explorer started successfully

OTM by OldTimer - Version 2.1.0.1 log created on 06162009_094528

Files moved on Reboot...

File C:\DOCUME~1\Andrews\LOCALS~1\Temp\etilqs_dTm8q1sNcBVmqfgIJuCd not found!

C:\DOCUME~1\Andrews\LOCALS~1\Temp\~DFA45E.tmp moved successfully.

File C:\WINDOWS\temp\ZLT05434.TMP not found!

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\Andrews\Local Settings\Application Data\Mozilla\Firefox\Profiles\f574xnw0.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

I note a couple of items were not found. On checking Zone Alarm logs it is still calling services.exe. But since the reboot, it has gone back to the Google/yahoo/aol/microsoft targets that it tried the first couple of days. Yesterday it had switched to ISP targets.

Feels like progress, and I want say a big thank you for the efforts that you and others make to help us in cyber-world.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:33:47, on 17/06/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Security Task Manager\SpyProtector.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Novosoft\Handy Backup\hbagent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Belkin Bulldog Plus\MUPS.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.126/index.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [sonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart

O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKCU\..\Run: [Handy Backup 6.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HotSync Manager.lnk.disabled

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...MetaStream3.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -

O16 - DPF: {e62d1a95-8299-4b94-85d0-731dc125a60d} (IMMP4Control Control) - http://192.168.1.126/ocx/IMMP4.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...030/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Dc20xin - Intel Corporation - C:\WINDOWS\system32\drivers\a305.sys

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 9119 bytes

Link to post
Share on other sites

Run an online virus scan called Kaspersky from HERE.

  • 1. At the main page. Press on "Accept". After reading the contents.
    2. At the next window Select Update. Allow the Database to update.
    Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
    3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
    4. Select Scan Report.
    5. If any threats were found they will appear in the report
    6. Select "Save error report as"
    Then in the file name just type in kaspersky
    Under "save as type" select text .txt
    Save it to your Desktop.
    Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
Link to post
Share on other sites

The scan may take a few minutes to complete.

:) It is at 38% after 9 hours... so it might be a while yet. So far

Files scanned 230644

Threat names 2

Infected objects 1

Suspicious objects 1

Duration of the scan 09:06:28

So a positive result, I just hope we do not get a power outage (rural France) as that will probably knock the router off-line for a short while, but perhaps it will cope with that.

I am impressed with Kaspersky as its impact seems very low compared to AVG which can grind the system to a crawl for other tasks. Though I have limited my activities to low-level ones to give the scan maximum processor time.

Link to post
Share on other sites

A couple of hours ago I noticed that AVG had not shut down completely, seems it cannot be just switched off since 7.5! Anyway I disabled as much as I could without re-booting, Would I need to re-run Kaspersky after this run, even if the virus appears to have gone?

It did find a 3rd a little while ago but I suspect that to be a false one as it was scanning some Linux directory.

At just under 14hours it is now at 63%. Will report back when it is done.

Link to post
Share on other sites

The 'virus' is in an 5 year old back up of an Outlook Express mail file. Original long since gone. The Real adware I was not aware of and the freerip one not running.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Friday, June 19, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Thursday, June 18, 2009 10:42:16

Records in database: 2360217

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

X:\

Z:\

Scan statistics:

Files scanned: 333933

Threat name: 3

Infected objects: 3

Suspicious objects: 1

Duration of the scan: 15:06:15

File name / Threat name / Threats count

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

F:\Backup\D\Data\Mail\Keith B.dbx.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1

F:\Backup\E\freeripmp3.exe.zip Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1

Z:\Software Downloads\freeripmp3.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1

The selected area was scanned.

Link to post
Share on other sites

Hi,

Yes I finally did that yesterday and left Kaspersky running, but report is almost the same (below). Whatever it is, continues to try connecting every minute and I just noticed ZA had blocked it from sending (data) with no IP address, followed by an attempt to connect to the router and then back to the list of IP attempts.

Latest report:

Monday, June 22, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Sunday, June 21, 2009 16:18:11

Records in database: 2374281

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

C:\

D:\

E:\

F:\

X:\

Z:\

Scan statistics

Files scanned 345442

Threat name 2

Infected objects 3

Suspicious objects 0

Duration of the scan 13:39:52

File name Threat name Threats count

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

F:\Backup\E\freeripmp3.exe.zip Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1

Z:\Software Downloads\freeripmp3.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1

The selected area was scanned.

Here is a chunk of the ZA log from this morning:

FWOUT,2009/06/22,09:24:12 +2:00 GMT,192.168.1.13:3105,74.125.127.100:80,TCP (flags:S)

FWOUT,2009/06/22,09:24:44 +2:00 GMT,192.168.1.13:3106,209.131.36.159:80,TCP (flags:S)

FWOUT,2009/06/22,09:25:14 +2:00 GMT,192.168.1.13:3107,64.12.193.85:80,TCP (flags:S)

FWOUT,2009/06/22,09:25:46 +2:00 GMT,192.168.1.13:3108,207.46.197.32:80,TCP (flags:S)

ACCESS,2009/06/22,09:26:16 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the local zone (192.168.1.1:DNS).,N/A,N/A

ACCESS,2009/06/22,09:26:18 +2:00 GMT,Services and Controller app was temporarily blocked from sending data to the local zone (192.168.1.1:DNS).,N/A,N/A

ACCESS,2009/06/22,09:26:34 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet.,N/A,N/A

ACCESS,2009/06/22,09:26:54 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (207.200.94.38:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:27:04 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (207.46.197.32:HTTP).,N/A,N/A

FWOUT,2009/06/22,09:27:14 +2:00 GMT,192.168.1.13:3114,74.125.67.100:80,TCP (flags:S)

FWOUT,2009/06/22,09:27:46 +2:00 GMT,192.168.1.13:3115,209.191.93.53:80,TCP (flags:S)

FWOUT,2009/06/22,09:28:16 +2:00 GMT,192.168.1.13:3116,64.12.193.85:80,TCP (flags:S)

ACCESS,2009/06/22,09:29:14 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (74.125.45.100:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:29:24 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (69.147.114.224:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:29:36 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (205.188.142.182:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:29:46 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (207.46.232.182:HTTP).,N/A,N/A

FWOUT,2009/06/22,09:29:56 +2:00 GMT,192.168.1.13:3122,74.125.45.100:80,TCP (flags:S)

FWOUT,2009/06/22,09:30:26 +2:00 GMT,192.168.1.13:3126,209.191.93.53:80,TCP (flags:S)

FWOUT,2009/06/22,09:30:58 +2:00 GMT,192.168.1.13:3137,64.12.50.151:80,TCP (flags:S)

FWOUT,2009/06/22,09:31:28 +2:00 GMT,192.168.1.13:3138,207.46.232.182:80,TCP (flags:S)

ACCESS,2009/06/22,09:32:00 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (74.125.67.100:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:32:10 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (209.191.93.53:HTTP).,N/A,N/A

ACCESS,2009/06/22,09:32:20 +2:00 GMT,Services and Controller app was temporarily blocked from connecting to the Internet (64.12.193.85:HTTP).,N/A,N/A

FWOUT,2009/06/22,09:32:40 +2:00 GMT,192.168.1.13:3158,74.125.127.100:80,TCP (flags:S)

FWOUT,2009/06/22,09:33:12 +2:00 GMT,192.168.1.13:3159,209.191.93.53:80,TCP (flags:S)

FWOUT,2009/06/22,09:33:42 +2:00 GMT,192.168.1.13:3169,207.200.94.38:80,TCP (flags:S)

FWOUT,2009/06/22,09:34:14 +2:00 GMT,192.168.1.13:3176,207.46.197.32:80,TCP (flags:S)

Prior to this the only things being blocked were updaters for Real player, Java and Adobe reader.

As services.exe calls are usually with a known program ID, does the fact that no program is shown suggest a problem with services.exe? Or is a well behaved program just passing its ID as part of the call parameters?

I am tempted to try all the on-line scanners but will await your guidance. However, I need an Anti Virus running and will install Alvira AntiVir for now. If that comes up with anything I will post it.

Link to post
Share on other sites

Further info on the source of infection now repaired -

One friend who visited the site received a warning:

"This website wants to run the following aed-on: 'Microsoft Data Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If you trust the website ... etc etc ..."

and another

"On your site I'm being asked to allow scripts from abfabglass.co.uk, which is fine, but also from namemartfilmlife.cn (don't go there!) which is a Chinese domain which appears to be wanting to load an iFrame (popup) on your site - the domain has been reported in connection with a known trojan/exploit W32/Pidief.FA."

and another

"My Macaffee site advisor removed a trojan named exploit-cve2007-0071 "

So seems to have been trying various things, it was the hosting server affected, not the site itself and I got no more info about what they did to fix it.

Link to post
Share on other sites

Download GMER Antirootkit Here, click on Download EXE and save to your Desktop

  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.

    [*]Re-enable all active protection.

Link to post
Share on other sites

Antivir completed. Only results I do not understand, hidden registry entries and a driver that could not be opened.:

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\extparamd

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet003\Services\76a89628\f96zk6npb

[iNFO] The registry entry is invisible.

'55761' objects were checked, '6' hidden objects were found.

AND

Begin scan in 'C:\' <Useless>

C:\Program Files\Adobe\Adobe Illustrator CS\Templates\Marketing\Newsletter 3.ait

[DETECTION] Contains HEUR/HTML.Malware suspicious code

C:\Program Files\Adobe\Adobe Illustrator CS\Templates-en_US-back\Marketing\Newsletter 3.ait

[DETECTION] Contains HEUR/HTML.Malware suspicious code

C:\WINDOWS\system32\drivers\76a89628.sys

[WARNING] The file could not be opened!

Begin scan in 'D:\' <Vincent>

Begin scan in 'E:\' <Joan>

Begin scan in 'F:\' <Felicity>

F:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

Beginning disinfection:

C:\Program Files\Adobe\Adobe Illustrator CS\Templates\Marketing\Newsletter 3.ait

[DETECTION] Contains HEUR/HTML.Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4ab6d0d0.qua'!

C:\Program Files\Adobe\Adobe Illustrator CS\Templates-en_US-back\Marketing\Newsletter 3.ait

[DETECTION] Contains HEUR/HTML.Malware suspicious code

[NOTE] The detection was classified as suspicious.

[NOTE] The file was moved to '4bdf7ed1.qua'!

End of the scan: 22 June 2009 20:41

Used time: 8:46:03 Hour(s)

Typical of Adobe newsletters perhaps :P I will submit/report those as probable false positives.

Hopefully you have some more suggestions :P as whatever is running seems to be not doing much other than making my Zone Alarm log less than useful. Presumably it waits for a succesful connect to do something?

Link to post
Share on other sites

Behaviour has changed, it is only trying to access the router 192.168.1.1:53 and trying to send data to it.

I also loaded spybot S&D just to check which version it was, not to run it. ZA reported it as a changed program and I blocked it. It also tried to access the router.

In GMER log - Puzzled by system restore entries on F drive volume info as Sys restore was switched off by me at the start of infection.

Most of the other files on F root are presumably there as they were unpacked for scanning and deleted afterwards? F is used just for back-up and pagefile.

Link to post
Share on other sites

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:C:\WINDOWS\System32\drivers\76a89628.sysDrivers to delete:76a89628

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\WINDOWS\System32\drivers\76a89628.sys" deleted successfully.

Driver "76a89628" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:16:20, on 24/06/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Belkin Bulldog Plus\MUPS.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.126/index.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [sonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKCU\..\Run: [Handy Backup 6.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HotSync Manager.lnk.disabled

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...MetaStream3.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -

O16 - DPF: {e62d1a95-8299-4b94-85d0-731dc125a60d} (IMMP4Control Control) - http://192.168.1.126/ocx/IMMP4.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?316

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...030/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Dc20xin - Intel Corporation - C:\WINDOWS\system32\drivers\a305.sys

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 8406 bytes

It has not reappeared.... am I clean?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.