Jump to content

More avsystemcare woes


Recommended Posts

Here's the log.

Windows Defender, Bazooka etc coming up with nothing.

This is a work machine, so I have no control over antivirus, but full admin rights on everything else.

Currently using Network Associates antivirus

==================================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:50:39, on 06/08/2007

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mgabg.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Seagate Software\WCS\pageserver.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\vds.exe

C:\Program Files\Seagate Software\WCS\WebCompServer.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE

c:\Program Files\Microsoft SQL Server\90\COM\logread.exe

c:\Program Files\Microsoft SQL Server\90\COM\distrib.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\WINDOWS\system32\PDesk\PDesk.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe

C:\Program Files\GetRight\getright.exe

C:\Program Files\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SymbianConnectRuntime.exe

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SCBAL.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\DEVENV.EXE

Z:\Utilities\Exe\SprocSafe.exe

C:\Program Files\Microsoft Visual Studio\Common\VSS\win32\SSEXP.EXE

C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\sqlwb.exe

C:\WINDOWS\system32\luleixvf.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\QSA Ltd\PV Configuration Tool v1.4\LabelConfig.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\NewsLeecher\newsLeecher.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Sony Ericsson\Mobile4\Sync Manager\SyncIndicator.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE

C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE

C:\Program Files\Internet Explorer\iexplore.exe

c:\windows\system32\inetsrv\w3wp.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.uk-dev-duncans

O15 - Trusted Zone: http://*.uk-qa-msweb03

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab

O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://uk-dev-duncans/Reports/Reserved.Rep...OpType=PrintCab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\Software\..\Telephony: DomainName = wwre.org

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wwre.org

O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe

--

End of file - 12515 bytes

Link to post
Share on other sites

I was using Bazooka Adware and Spyware scanner - which until recently has done me very well.

Cleaned the system using Spybot S&D, and that's fixed a few things.

Ran RogueRemover free edition and it found nothing at all (latest version)

Forgot to set the Panda off overnight. I'll see about doing it now, but this is a work machine and I'm a developer, so if it starts impacting performance, I'll have to leave it until tonight to run and post the log in the morning.

HijackThis log below:

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:22:31, on 07/08/2007

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mgabg.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Seagate Software\WCS\pageserver.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\vds.exe

C:\Program Files\Seagate Software\WCS\WebCompServer.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE

c:\Program Files\Microsoft SQL Server\90\COM\logread.exe

c:\Program Files\Microsoft SQL Server\90\COM\distrib.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\WINDOWS\system32\PDesk\PDesk.exe

C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe

C:\Program Files\GetRight\getright.exe

C:\Program Files\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe

C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SymbianConnectRuntime.exe

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SCBAL.exe

C:\Program Files\Sony Ericsson\Mobile4\Sync Manager\SyncIndicator.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.uk-dev-duncans

O15 - Trusted Zone: http://*.uk-qa-msweb03

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://uk-dev-duncans/Reports/Reserved.Rep...OpType=PrintCab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\Software\..\Telephony: DomainName = wwre.org

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wwre.org

O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe

--

End of file - 12060 bytes

Link to post
Share on other sites

Run a scan and remove everything found with this program http://free.grisoft.com/doc/28415/lng/us/tpl/v5 AVG AntiSpyware and post that log please.

Panda can run while you use the machine. Bazooka is a rogue program and that makes it virtually useless. Rogues tell you they find things and remove them, when in fact nothing is done.

Your using a version of Java that is known to be a critical security risk, highly exploitable. You should uninstall and delete the program folder and get the latest version. http://www.java.com/en/download/manual.jsp

As for your productivity, I'm sure it is more impacted by your infection(s) than you realize and in fact all your information could very well be being sent to someone else. When ever you find time please post the logs from Panda and AVG.

Link to post
Share on other sites

Run a scan and remove everything found with this program http://free.grisoft.com/doc/28415/lng/us/tpl/v5 AVG AntiSpyware and post that log please.

Panda can run while you use the machine. Bazooka is a rogue program and that makes it virtually useless. Rogues tell you they find things and remove them, when in fact nothing is done.

Your using a version of Java that is known to be a critical security risk, highly exploitable. You should uninstall and delete the program folder and get the latest version. http://www.java.com/en/download/manual.jsp

As for your productivity, I'm sure it is more impacted by your infection(s) than you realize and in fact all your information could very well be being sent to someone else. When ever you find time please post the logs from Panda and AVG.

I've never had Bazooka tell me it can remove anything - it pureley tells you if it finds something, then you go off to a very informative website that tells you where to look for the files and how to remove it, along with links to free AVG or Norton utils that target that spyware/virus.

The utility shows all file and registry location and goes at depth into removing it yourself, for free and never once has it recommended "pay-for" software.

Are we talking about the same Bazooka?

Oh... and Panda got about 40% of the way through earlier and then crashed IE lol... will run that tonight :D

Stu

Link to post
Share on other sites

I see that I was misidentifying the program, Bazooka. Sorry about that. There is one with the same name that is rogue. If Panda crashed that could be a sign of something making it crash, it is usually stable. Run AVG first if you can and post that log. Thanks.

Link to post
Share on other sites

I see that I was misidentifying the program, Bazooka. Sorry about that. There is one with the same name that is rogue. If Panda crashed that could be a sign of something making it crash, it is usually stable. Run AVG first if you can and post that log. Thanks.

I ran AVG and it deleted the New.DotNet file, along with another Trojan that I cant remember - I couldn't get it to save a log (even though I had "always create a report" enabled)

Every time I try to run Panda now, I get a JavaScript error, so that's not looking good.

Run the latest rogueremover and that's found nothing.

Currently doing a rootkit search with GMER

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:35:11, on 09/08/2007

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mgabg.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Seagate Software\WCS\pageserver.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\vds.exe

C:\Program Files\Seagate Software\WCS\WebCompServer.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\UltraMon\UltraMon.exe

c:\Program Files\Microsoft SQL Server\90\COM\logread.exe

c:\Program Files\Microsoft SQL Server\90\COM\distrib.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\WINDOWS\system32\PDesk\PDesk.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SymbianConnectRuntime.exe

C:\PROGRA~1\Symbian\Shared\SymbianConnectRunTime\SCBAL.exe

C:\PROGRA~1\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe

C:\Documents and Settings\DuncanS\Local Settings\Temp\gmer.exe

c:\downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/

O1 - Hosts: 87.117.196.106 www.ktjewellery.co.uk

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [pvinstall] "c:\pvinstall.vbs"

O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"

O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: Map Z Drive.lnk = C:\startup.bat

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Global Startup: SQL Prompt.lnk = C:\Program Files\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)

O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll

O14 - IERESET.INF: START_PAGE_URL=http://intranet

O15 - Trusted Zone: http://staging.cpd.gnx.com

O15 - Trusted Zone: http://www.pandasecurity.com

O15 - Trusted Zone: http://www.pandasoftware.com

O15 - Trusted Zone: http://*.uk-dev-duncans

O15 - Trusted Zone: http://*.uk-qa-msweb03

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://uk-dev-duncans/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=jzgar1v4erq2uo45ydvqek55&ControlID=a6ccf01f-181c-43f1-9d1d-039dca17dcf8&Culture=2057&UICulture=9&ReportStack=1&OpType=PrintCab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\Software\..\Telephony: DomainName = wwre.org

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwre.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wwre.org

O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe

--

End of file - 10558 bytes

Link to post
Share on other sites

If this helps, the rootkit search (so far) has revealed the following hidden process and highlighted it red....

GMER 1.0.13.12551 - http://www.gmer.netRootkit scan 2007-08-09 15:46:29Windows 5.2.3790 Service Pack 1
---- Processes - GMER 1.0.13 ----
Process		 c:\windows\system32\ghzozres.exe (*** hidden *** )																	 2880							 Library		 c:\windows\system32\ghzozres.exe (*** hidden *** ) @ c:\windows\system32\ghzozres.exe [2880]						   0x00400000
Link to post
Share on other sites

Decided to do a virus scan on that file via VirusTotal:

Antivirus	Version	Last Update	ResultAhnLab-V3	2007.8.9.2	2007.08.09	-AntiVir	7.4.0.57	2007.08.09	-Authentium	4.93.8	2007.08.08	-Avast	4.7.1029.0	2007.08.09	-AVG	7.5.0.476	2007.08.08	-BitDefender	7.2	2007.08.09	-CAT-QuickHeal	9.00	2007.08.09	(Suspicious) - DNAScanClamAV	0.91	2007.08.09	-DrWeb	4.33	2007.08.09	-eSafe	7.0.15.0	2007.07.31	-eTrust-Vet	31.1.5045	2007.08.09	-Ewido	4.0	2007.08.08	-FileAdvisor	1	2007.08.09	-Fortinet	2.91.0.0	2007.08.09	-F-Prot	4.3.2.48	2007.08.08	-F-Secure	6.70.13030.0	2007.08.09	-Ikarus	T3.1.1.12	2007.08.09	-Kaspersky	4.0.2.24	2007.08.09	-McAfee	5093	2007.08.08	-Microsoft	1.2704	2007.08.09	-NOD32v2	2446	2007.08.09	-Norman	5.80.02	2007.08.08	-Panda	9.0.0.4	2007.08.09	-Prevx1	V2	2007.08.09	-Rising	19.35.32.00	2007.08.09	-Sophos	4.19.0	2007.08.01	-Sunbelt	2.2.907.0	2007.08.09	-Symantec	10	2007.08.09	Trojan.SkintrimTheHacker	6.1.7.166	2007.08.09	-VBA32	3.12.2.2	2007.08.09	-VirusBuster	4.3.26:9	2007.08.09	-Webwasher-Gateway	6.0.1	2007.08.09	-
Additional informationFile size: 263680 bytesMD5: b974d7a5c37e15c07b6ce2b99547a3e7SHA1: cbcd9d8295f1b7f3c67fd17fb1b55c5aff37490e
Link to post
Share on other sites

I don't know where you uploaded the file to, if it is the malware submission on this site that's fine, but I don't have access. The way this whole process works is you follow instructions as they are given. Taking action on your own can be disaster if you don't know what your doing and it makes it impossible for me to keep track of what has been done. Snips of logs is not sufficient to make any decisions on the next step to take. Actually this is my finale advice due to what has happened here, I won't be giving anymore advice.

If you had a root kit, you may still have one and you need to change all passwords, and contact any institutions that you have exchanged sensitive data with. The only sure way to know your free of a root kit is to wipe the drive, and especially in this case sense only you know what has been done and you aren't sure of that.

If you think your infection free and your not going to reformat you must reset System Restore and create a clean restore point. My advise would be a reformat at this point.

To set a new restore point, go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here

Should you wish to receive more assistance please start a new topic and someone else can assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.