Jump to content

Recommended Posts

Hi,

I am here to help with cleaning my PC.

It got several Trojans and make the system almost unworkable.

Hopefully I get the procedure right. I think I followed the instructions so far and I will be rebooting after posting this Logfile

L O G F I L E

- S T A R T -

Malwarebytes' Anti-Malware 1.30

Database version: 1441

Windows 5.1.2600 Service Pack 3

01/12/2008 16:47:47

mbam-log-2008-12-01 (16-47-47).txt

Scan type: Quick Scan

Objects scanned: 68427

Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 5

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\wogenifi.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\tiyanezi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87f5a56d-33bd-412c-a0f2-803ddf5211a1} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{87f5a56d-33bd-412c-a0f2-803ddf5211a1} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{87f5a56d-33bd-412c-a0f2-803ddf5211a1} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm633bac7d (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasateneso (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\tiyanezi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\tiyanezi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\tiyanezi.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\tafivefi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ifevifat.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wogenifi.dll (Trojan.BHO.H) -> Delete on reboot.

C:\WINDOWS\system32\tiyanezi.dll (Trojan.Vundo) -> Delete on reboot.

- E N D -

Looking forward to the kind help on offer.

Kind Regards

Ralph

Link to post
Share on other sites

hi Ralph,

welcome to Malwarebytes.org!

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.

Step #1

* Clean your Cache and Cookies in InternetExplorer:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Step #2

  • Please download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Thanks!

Link to post
Share on other sites

Logfile of random's system information tool 1.04 (written by random/random)

Run by Ralph at 2008-12-01 22:10:36

Microsoft Windows XP Professional Service Pack 3

System drive C: has 8 GB (8%) free of 103 GB

Total RAM: 2046 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:11:13, on 01/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Kontiki\KService.exe

C:\ElsaWin\bin\LcSvrAdm.exe

C:\ElsaWin\bin\LcSvrDba.exe

C:\ElsaWin\bin\LcSvrHis.exe

C:\ElsaWin\bin\LcSvrPas.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\oodag.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\ElsaWin\bin\LcSvrAuf.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Norton Password Manager\AcctMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\WINDOWS\system32\cleanmgr.exe

C:\Documents and Settings\Ralf Stahlmann\Desktop\RSIT.exe

C:\Program Files\trend micro\Ralf Stahlmann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nvidia.com/content/drivers/redi...page=sysutility

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet2\jccatch.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet2\getflash.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

O4 - HKUS\S-1-5-19\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'NETWORK SERVICE')

O4 - Startup: Dialog Helper.lnk = C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet2\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet2\jc_link.htm

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet2\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet2\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200094956984

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - C:\ElsaWin\bin\wiProt.dll

O20 - AppInit_DLLs: c:\windows\system32\dalotuhu.dll c:\windows\system32\modopodu.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAdm.exe

O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAuf.exe

O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - C:\ElsaWin\bin\LcSvrDba.exe

O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - C:\ElsaWin\bin\LcSvrHis.exe

O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - C:\ElsaWin\bin\LcSvrPas.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 16746 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IPoint_exe.job

C:\WINDOWS\tasks\Symantec Drmc.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{AC6E7797-8923-4543-9A25-A4F2D090978D}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]

FGCatchUrl - C:\Program Files\FlashGet2\jccatch.dll [2007-08-06 94308]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]

Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-12-14 392240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]

FlashGet GetFlash Class - C:\Program Files\FlashGet2\getflash.dll [2007-05-18 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2006-10-22 321120]

{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2002-05-27 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-07-12 178712]

"JMB36X IDE Setup"=C:\WINDOWS\RaidTool\xInsIDE.exe [2007-03-20 36864]

"36X Raid Configurer"=C:\WINDOWS\system32\xRaidSetup.exe [2007-05-25 1953792]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]

"nwiz"=nwiz.exe /install []

"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]

"NWEReboot"= []

"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]

""= []

"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-03-14 54832]

"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 53248]

"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]

"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE [2004-08-04 44032]

"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]

"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]

"FinePrint Dispatcher v5"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe [2008-04-18 520192]

"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 1037736]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-07-05 16380416]

"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]

"AcctMgr"=C:\Program Files\Norton Password Manager\AcctMgr.exe [2003-10-21 582840]

"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-04-08 48752]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]

"WinampAgent"=C:\Program Files\Winamp\winampa.exe []

"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]

"vptray"=C:\PROGRA~1\SYMANT~1\\vptray.exe [2005-04-17 85184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

"DVDXGhost"= []

"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-02-21 5724184]

"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

"AnyDVD"=C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe [2008-11-11 2268096]

C:\Documents and Settings\Ralf Stahlmann\Start Menu\Programs\Startup

Dialog Helper.lnk - C:\Program Files\Avanquest\PowerDesk\pddlghlp.exe

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"=" c:\windows\system32\dalotuhu.dll c:\windows\system32\modopodu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

C:\WINDOWS\system32\NavLogon.dll [2005-04-17 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"=C:\Program Files\DVD X Studios\DVD X Utilities 1.5\DVDGhost\ExecuteHooker.dll [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

Link to post
Share on other sites

Hi there,

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKUS\S-1-5-19\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: c:\windows\system32\dalotuhu.dll c:\windows\system32\modopodu.dll

Close all other windows and browsers, and press the Fix Checked button.

Step #2

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

Step #3

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks!

Link to post
Share on other sites

Hi,

Just before I start the log.txt a brief remark to your suggested deletes after running hijack.

I could only find 2 of the 4 entries (the first and the last one)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKUS\S-1-5-19\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vasateneso] Rundll32.exe "C:\WINDOWS\system32\larifise.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: c:\windows\system32\dalotuhu.dll c:\windows\system32\modopodu.dll

I had noticed this morning a message from Symantek Antivirus that it sucessfully quarantined something.

Otherwise a proceeded as instructed and received this log.

ComboFix 08-12-01.03 - Ralph 2008-12-02 20:52:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1357 [GMT 0:00]

Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ralph\Favorites\.url

c:\documents and settings\Ralph\Favorites\Games.url

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\ewahadal.ini

c:\windows\system32\izamanuf.ini

c:\windows\system32\NTVBSvcW.tlb

c:\windows\system32\system

c:\windows\system32\system\msxml4.dll

c:\windows\system32\system\msxml4r.dll

D:\WinXp.exe

.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))

.

2008-12-02 20:41 . 2008-12-02 20:41 410,976 --a------ c:\windows\system32\deploytk.dll

2008-12-02 20:41 . 2008-12-02 20:41 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-01 22:10 . 2008-12-01 22:11 <DIR> d-------- C:\rsit

2008-12-01 22:10 . 2008-12-01 22:11 <DIR> d-------- c:\program files\trend micro

2008-12-01 17:13 . 2008-12-01 17:19 <DIR> d-------- c:\program files\EsetOnlineScanner

2008-12-01 16:35 . 2008-12-01 16:35 <DIR> d-------- c:\documents and settings\Ralph\Application Data\Malwarebytes

2008-12-01 16:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-01 16:34 . 2008-12-01 16:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-01 16:34 . 2008-12-01 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-01 16:34 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-30 16:56 . 2008-12-01 14:24 325 --a------ c:\windows\wininit.ini

2008-11-28 18:38 . 2008-11-28 18:38 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Winamp

2008-11-26 20:28 . 2008-11-26 20:28 <DIR> d-------- C:\My Music

2008-11-26 00:08 . 2008-11-26 00:08 <DIR> d-------- c:\documents and settings\Ralph\Application Data\Uniblue

2008-11-25 23:09 . 2008-11-25 23:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avanquest

2008-11-19 22:35 . 2008-11-19 22:35 <DIR> d-------- c:\documents and settings\Ralph\Application Data\GARMIN

2008-11-19 22:34 . 2008-11-19 22:34 <DIR> d-------- c:\program files\Garmin GPS Plugin

2008-11-16 02:17 . 2008-11-16 02:17 <DIR> d-------- c:\program files\Microsoft Virtual PC

2008-11-14 22:20 . 2008-11-14 22:20 244 --ah----- C:\sqmnoopt16.sqm

2008-11-14 22:20 . 2008-11-14 22:20 232 --ah----- C:\sqmdata16.sqm

2008-11-12 19:57 . 2008-11-12 19:57 103,360 --------- c:\windows\system32\drivers\AnyDVD.sys

2008-11-12 16:57 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 16:44 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-06 19:06 . 2008-11-06 19:06 93,128 --a------ c:\windows\system32\ElbyCDIO.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-02 20:52 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2008-12-02 20:44 --------- d-----w c:\program files\Symantec AntiVirus

2008-12-02 20:41 --------- d-----w c:\program files\Java

2008-12-02 12:15 --------- d-----w c:\program files\FlashGet

2008-12-01 11:18 --------- d-----w c:\program files\FlashGet2

2008-11-30 17:06 --------- d-----w c:\documents and settings\Ralph\Application Data\uTorrent

2008-11-24 23:00 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-13 10:49 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles

2008-11-12 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-11 18:43 --------- d-----w c:\program files\Thumbs7

2008-11-11 12:53 --------- d-----w c:\program files\SlySoft

2008-11-06 23:38 --------- d-----w c:\program files\CloneDVD

2008-11-01 11:39 --------- d-----w c:\documents and settings\Ralph\Application Data\teamspeak2

2008-10-31 23:57 --------- d-----w c:\program files\uTorrent

2008-10-29 14:03 --------- d-----w c:\program files\DivX

2008-10-27 02:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-10-25 17:00 --------- d-----w c:\program files\Kontiki

2008-10-25 16:57 --------- d-----w c:\program files\LinkStash

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 10:56 --------- d-----w c:\documents and settings\Ralph\Application Data\AccurateRip

2008-10-24 09:43 --------- d-----w c:\program files\Exact Audio Copy

2008-10-22 13:51 --------- d-----w c:\program files\NCH Swift Sound

2008-10-22 13:51 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound

2008-10-21 09:25 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-20 19:48 --------- d-----w c:\program files\Teamspeak2_RC2

2008-10-20 19:44 --------- d-----w c:\program files\Teamspeak_german

2008-10-16 19:34 24,944 ----a-w c:\windows\system32\drivers\GVTDrv.sys

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 09:34 --------- d-----w c:\program files\Windows Mobile Device Handbook

2008-10-16 09:34 --------- d-----w c:\program files\Microsoft ActiveSync

2008-10-07 21:24 --------- d-----w c:\program files\WinHex

2008-10-04 15:52 --------- d-----w c:\documents and settings\Ralph\Application Data\Winamp

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-09-16 20:17 364 ----a-w C:\drmHeader.bin

2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe

2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll

2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll

2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll

2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll

2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll

2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll

2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll

2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe

2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-08 21:26 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2008-07-11 10:57 8 --sh--r c:\documents and settings\All Users\Application Data\3E60938E4B.sys

2008-02-03 13:37 81,920 ----a-w c:\documents and settings\Ralph\Application Data\ezpinst.exe

2008-02-03 13:37 47,360 ----a-w c:\documents and settings\Ralph\Application Data\pcouffin.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-02-21 5724184]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-11 2268096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-14 54832]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2008-04-18 520192]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2003-10-21 582840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]

"nwiz"="nwiz.exe" [2007-05-10 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

c:\documents and settings\Ralph\Start Menu\Programs\Startup\

Dialog Helper.lnk - c:\program files\Avanquest\PowerDesk\pddlghlp.exe [2008-04-22 46336]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD X Studios\DVD X Utilities 1.5\DVDGhost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\FlashGet2\\flashget.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=

"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2007-09-19 21:37:48 41456]

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-08-26 147456]

R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-08-26 233472]

R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-08-26 217088]

R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-08-26 368640]

R2 PSI_SVC_2;Protexis Licensing V2;"c:\program files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 185632]

R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-08-26 1302528]

R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]

S3 GVTDrv;GVTDrv;\??\c:\windows\system32\Drivers\GVTDrv.sys [2008-06-29 24944]

S3 MarkFun_NT;MarkFun_NT;\??\c:\program files\Gigabyte\ET5Pro\markfun.w32 []

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-04-17 124608]

S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys []

S3 VC4CB104;USB PC Camera;c:\windows\system32\Drivers\VC4CB104.SYS [2008-02-08 81924]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9ee1ef7-536e-11dd-829d-001a4d567bdf}]

\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-29 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 11:01]

2008-12-02 c:\windows\Tasks\Symantec Drmc.job

- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]

2008-12-02 c:\windows\Tasks\User_Feed_Synchronization-{AC6E7797-8923-4543-9A25-A4F2D090978D}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)

HKCU-Run-DVDXGhost - (no file)

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

HKLM-Run-NWEReboot - (no file)

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Ralph\Application Data\Mozilla\Firefox\Profiles\m9rb43ct.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/

FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-02 20:53:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MarkFun_NT]

"ImagePath"="\??\c:\program files\Gigabyte\ET5Pro\markfun.w32"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-12-02 20:54:42

ComboFix-quarantined-files.txt 2008-12-02 20:53:55

Pre-Run: 9,562,320,896 bytes free

Post-Run: 9,650,069,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

257 --- E O F --- 2008-11-12 19:29:19

Thank you

Ralph

Link to post
Share on other sites

Hi just an update of today.

While I was doing things on my PC Su poped a box up on my screen about an available Java update V6 update11 and if I wanted to install.

I clicked later as you told me a couple of days ago to install java amongst other things. I did ot want to upset your repair routine by presuming it would be fine to install this one.

Please tell me what the next step is.

Regards

Ralph

Link to post
Share on other sites

hi there,

yes please do install that update. it includes some security patches. that some of the HJT entries were missing, is ok. i am a bit in a hurry and unfortunately was not able to reply to you last night. please have the following scan also being carried out:

Download and Save Blacklight to your desktop:

  • Double-click blbeta.exe then accept the agreement, click > scan then > next
  • You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
  • Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

i will reply then with more information tonight.

thanks. yohi

Link to post
Share on other sites

Guten Abend Yohi,

Das kann ja mal vorkommen dass man in der Vorweihnachtszeit weniger Zeit hat.

I have carried out the Java update and downloaded and ran the Blacklight tool as instructed.

At the end I received the following log:

12/04/08 12:03:19 [info]: BlackLight Engine 2.2.1092 initialized

12/04/08 12:03:19 [info]: OS: 5.1 build 2600 (Service Pack 3)

12/04/08 12:03:20 [Note]: 7019 4

12/04/08 12:03:20 [Note]: 7005 0

12/04/08 12:03:48 [Note]: 7006 0

12/04/08 12:03:48 [Note]: 7011 404

12/04/08 12:03:48 [Note]: 7035 0

12/04/08 12:03:48 [Note]: 7026 0

12/04/08 12:03:48 [Note]: 7026 0

12/04/08 12:03:50 [Note]: FSRAW library version 1.7.1024

12/04/08 12:14:09 [Note]: 2000 1012

12/04/08 12:14:09 [Note]: 2000 1012

12/04/08 12:16:00 [Note]: 7007 0

On a note I like to mention that my own registry change for enabling IE to use an URL containing username and password (h**p://username:password@domain.com) has been reversed by your procedures. As well as the driver for my USB headset is returning scrambled sound. I guess, once finished I need to reinstall the driver or the divx.

Bis heute abend

Freundliche Gruesse

Ralph

Link to post
Share on other sites

Hi Ralph,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case utorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

  1. Open notepad and copy/paste the text in the codebox below into it:
    DirLook::C:\documents and settings\Ralph\Application Data\Uniblue
    File::C:\sqmnoopt16.sqmC:\sqmdata16.sqm


  2. Save this as CFScript.txt
    CFScript_small.gif
  3. Refering to the picture above, drag CFScript.txt into ComboFix.exe
  4. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall

Step #2

You may update to Java update 11. Make sure you uninstal all previous versions though, as they are a source of infections.

Step #3

Please go to Eset Onlinescan (NOD32)

(You need to use InternetExplorer or enable IEView in Firefox)

  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad

    [*]Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Step #4

Lets see those reports. As for your settings gone, I will need to check on something before we continue on that part.

Thanks YoHi

Link to post
Share on other sites

Hi Yohi,

Thank you for your work done so far, it is very much appreciated the time you take to help me.

1) I have been trying to stick very close to instructrions given and not to assume as I usually do.

Therefore when I had asked about the update which came up on Java and I have done as was said and installed it on top of the previous Java update which we installed the day before fresh after deinstallation of the previous one.

Now in your last post you bring up Java once more, by which I had allready followed your previous instruction and simply had updated a 1 day old fresh Java installation.

So this latest instruction on this issue comes a bit late and I am not sure what to do now on this issue.

2) There was another issue with combo fix. I did as instructed but when combo fix run it told me that there was a newer version of it and if I wish to download it (this was within the combofix eindow). I agreed to the download as I presumed that were matters like viruses and trojans are involved this would help to have the latest tool. After finishing the internal download it returned an error saying that it could not update and that it would therefore continue with the original version. The result of which I posted below after point 5)

3) The online scan you asked me to run does never complete after about 2 hours the IE window simply closes without any warning. I did this twice yesterday and on previous occassion (before I contacted you !!! I had noticed the same behaviour when I run an online virus scan). I think it was the same URL

4) I think I contracted the trojan when I clicked on a link which came through a friend's MSN Messenger account from Germany.

5) I think it's unlikely that uTorrent is a source because I mainly use it as distribution source for the local schoolbands to our pupils and those of other schools in our small town. We have a private tracker site software installed behind the pupil's and teacher's login. I will be uploading the music recordings maily as mp3 but also other projects like recordings from our school theater and our charity events. These are maily avi format but also, right now, our first DVD production VOB files. The only people with uploader rights to the tracker are the other IT teachers like me of four other schools.

Privately I use BBC iPLayer download which allows you to download current TV programs for use in Mediaplayer and which expire after a few weeks.

The BBC uses this tool in addition to the online viewing of TV through some kind of flash interface. But for download it uses p2p technolgy of distribution. When it came out they were doing this without telling people about it they got into trouble and I thought I de-installed it.

log.txt from Combo Fix

ComboFix 08-12-04.04 - Ralph 2008-12-04 23:36:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1254 [GMT 0:00]

Running from: c:\documents and settings\Ralph\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ralph\Desktop\CFScript.txt

* Created a new restore point

FILE ::

C:\sqmdata16.sqm

C:\sqmnoopt16.sqm

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\sqmdata16.sqm

C:\sqmnoopt16.sqm

.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))

.

2008-12-02 20:41 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-02 20:41 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-01 22:10 . 2008-12-01 22:11 <DIR> d-------- C:\rsit

2008-12-01 22:10 . 2008-12-01 22:11 <DIR> d-------- c:\program files\trend micro

2008-12-01 17:13 . 2008-12-01 17:19 <DIR> d-------- c:\program files\EsetOnlineScanner

2008-12-01 16:35 . 2008-12-01 16:35 <DIR> d-------- c:\documents and settings\Ralph\Application Data\Malwarebytes

2008-12-01 16:35 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-01 16:34 . 2008-12-01 16:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-01 16:34 . 2008-12-01 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-01 16:34 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-30 16:56 . 2008-12-01 14:24 325 --a------ c:\windows\wininit.ini

2008-11-28 18:38 . 2008-11-28 18:38 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Winamp

2008-11-26 20:28 . 2008-11-26 20:28 <DIR> d-------- C:\My Music

2008-11-26 00:08 . 2008-11-26 00:08 <DIR> d-------- c:\documents and settings\Ralph\Application Data\Uniblue

2008-11-25 23:09 . 2008-11-25 23:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avanquest

2008-11-19 22:35 . 2008-11-19 22:35 <DIR> d-------- c:\documents and settings\Ralph\Application Data\GARMIN

2008-11-19 22:34 . 2008-11-19 22:34 <DIR> d-------- c:\program files\Garmin GPS Plugin

2008-11-16 02:17 . 2008-11-16 02:17 <DIR> d-------- c:\program files\Microsoft Virtual PC

2008-11-12 19:57 . 2008-11-12 19:57 103,360 --------- c:\windows\system32\drivers\AnyDVD.sys

2008-11-12 16:57 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-12 16:44 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-06 19:06 . 2008-11-06 19:06 93,128 --a------ c:\windows\system32\ElbyCDIO.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-04 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2008-12-04 12:02 --------- d-----w c:\program files\FlashGet2

2008-12-04 12:01 --------- d-----w c:\program files\Java

2008-12-04 11:38 --------- d-----w c:\program files\Symantec AntiVirus

2008-12-03 15:27 --------- d-----w c:\documents and settings\Ralph\Application Data\uTorrent

2008-12-02 12:15 --------- d-----w c:\program files\FlashGet

2008-11-24 23:00 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-13 10:49 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles

2008-11-12 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-11 18:43 --------- d-----w c:\program files\Thumbs7

2008-11-11 12:53 --------- d-----w c:\program files\SlySoft

2008-11-06 23:38 --------- d-----w c:\program files\CloneDVD

2008-11-01 11:39 --------- d-----w c:\documents and settings\Ralph\Application Data\teamspeak2

2008-10-31 23:57 --------- d-----w c:\program files\uTorrent

2008-10-29 14:03 --------- d-----w c:\program files\DivX

2008-10-27 02:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-10-25 17:00 --------- d-----w c:\program files\Kontiki

2008-10-25 16:57 --------- d-----w c:\program files\LinkStash

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-24 10:56 --------- d-----w c:\documents and settings\Ralph\Application Data\AccurateRip

2008-10-24 09:43 --------- d-----w c:\program files\Exact Audio Copy

2008-10-22 13:51 --------- d-----w c:\program files\NCH Swift Sound

2008-10-22 13:51 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound

2008-10-21 09:25 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-20 19:48 --------- d-----w c:\program files\Teamspeak2_RC2

2008-10-20 19:44 --------- d-----w c:\program files\Teamspeak_german

2008-10-16 19:34 24,944 ----a-w c:\windows\system32\drivers\GVTDrv.sys

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 09:34 --------- d-----w c:\program files\Windows Mobile Device Handbook

2008-10-16 09:34 --------- d-----w c:\program files\Microsoft ActiveSync

2008-10-07 21:24 --------- d-----w c:\program files\WinHex

2008-10-04 15:52 --------- d-----w c:\documents and settings\Ralph\Application Data\Winamp

2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-09-16 20:17 364 ----a-w C:\drmHeader.bin

2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe

2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll

2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll

2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll

2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll

2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll

2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll

2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll

2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll

2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe

2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-08 21:26 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2008-07-11 10:57 8 --sh--r c:\documents and settings\All Users\Application Data\3E60938E4B.sys

2008-02-03 13:37 81,920 ----a-w c:\documents and settings\Ralph\Application Data\ezpinst.exe

2008-02-03 13:37 47,360 ----a-w c:\documents and settings\Ralph\Application Data\pcouffin.sys

2008-09-03 09:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Ralph\Application Data\Uniblue ----

2008-11-26 00:32 4380 --a------ c:\documents and settings\Ralph\Application Data\Uniblue\Registry Booster2\RBLog.dat

2008-11-26 00:32 2 --a------ c:\documents and settings\Ralph\Application Data\Uniblue\Registry Booster2\ignorelist.dat

2008-11-26 00:32 13470 --a------ c:\documents and settings\Ralph\Application Data\Uniblue\Registry Booster2\problems.html

2008-11-26 00:12 736 --a------ c:\documents and settings\Ralph\Application Data\Uniblue\Registry Booster2\1227658354.zip

((((((((((((((((((((((((((((( snapshot@2008-12-02_20.53.39.76 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-02 20:40:41 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe

+ 2008-12-04 03:18:06 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe

- 2008-12-02 20:41:32 144,792 ----a-w c:\windows\system32\java.exe

+ 2008-11-10 05:43:37 144,792 ----a-w c:\windows\system32\java.exe

- 2008-12-02 20:41:32 144,792 ----a-w c:\windows\system32\javaw.exe

+ 2008-11-10 05:43:38 144,792 ----a-w c:\windows\system32\javaw.exe

- 2008-12-02 20:41:32 148,888 ----a-w c:\windows\system32\javaws.exe

+ 2008-11-10 05:43:39 148,888 ----a-w c:\windows\system32\javaws.exe

+ 2008-12-04 12:01:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1244.dat

+ 2008-12-04 11:38:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_390.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-02-21 5724184]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-11 2268096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-03-14 54832]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2008-04-18 520192]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2003-10-21 582840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2005-04-17 85184]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"nwiz"="nwiz.exe" [2007-05-10 c:\windows\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

c:\documents and settings\Ralph\Start Menu\Programs\Startup\

Dialog Helper.lnk - c:\program files\Avanquest\PowerDesk\pddlghlp.exe [2008-04-22 46336]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= "c:\program files\DVD X Studios\DVD X Utilities 1.5\DVDGhost\ExecuteHooker.dll" [2004-07-27 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\FlashGet2\\flashget.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=

"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2007-09-19 21:37:48 41456]

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]

R2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2008-08-26 147456]

R2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2008-08-26 233472]

R2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2008-08-26 217088]

R2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2008-08-26 368640]

R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2008-08-26 1302528]

R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]

S3 GVTDrv;GVTDrv;\??\c:\windows\system32\Drivers\GVTDrv.sys [2008-06-29 24944]

S3 MarkFun_NT;MarkFun_NT;\??\c:\program files\Gigabyte\ET5Pro\markfun.w32 []

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-04-17 124608]

S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys []

S3 VC4CB104;USB PC Camera;c:\windows\system32\Drivers\VC4CB104.SYS [2008-02-08 81924]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9ee1ef7-536e-11dd-829d-001a4d567bdf}]

\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE

*Newly Created Service* - USNJSVC

.

Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-29 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 11:01]

2008-12-04 c:\windows\Tasks\Symantec Drmc.job

- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]

2008-12-04 c:\windows\Tasks\User_Feed_Synchronization-{AC6E7797-8923-4543-9A25-A4F2D090978D}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = hxxp://www.nvidia.com/content/drivers/redirect.asp?language=ENG&page=sysutility

IE: &Download All with FlashGet - c:\program files\FlashGet2\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet2\jc_link.htm

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

Handler: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - c:\elsawin\bin\wiprot.dll

FireFox -: Profile - c:\documents and settings\Ralph\Application Data\Mozilla\Firefox\Profiles\m9rb43ct.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/

FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-04 23:37:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MarkFun_NT]

"ImagePath"="\??\c:\program files\Gigabyte\ET5Pro\markfun.w32"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-12-04 23:39:01

ComboFix-quarantined-files.txt 2008-12-04 23:38:15

ComboFix2.txt 2008-12-02 20:54:43

Pre-Run: 9,216,970,752 bytes free

Post-Run: 9,312,845,824 bytes free

285 --- E O F --- 2008-11-12 19:29:19

I am a bit concerned about not been able to complete the online Virus scan. What do you suggest as an alternative please?

Tschuess

Ralph

Link to post
Share on other sites

hi germish,

Now in your last post you bring up Java once more, by which I had allready followed your previous instruction and simply had updated a 1 day old fresh Java installation.

As of Java Runtime version 6 update 10, the updates are deleted on new installs. All Java versions prior to that need manual removal. Its only been updated to v6u11 recently.

3) The online scan you asked me to run does never complete after about 2 hours the IE window simply closes without any warning. I did this twice yesterday and on previous occassion (before I contacted you !!! I had noticed the same behaviour when I run an online virus scan). I think it was the same URL

Thats ok, we just take a different one:

Please do a scan with Kaspersky Online Scanner (You need to use InternetExplorer or enable IEView in Firefox)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
4) I think I contracted the trojan when I clicked on a link which came through a friend's MSN Messenger account from Germany.

the msn worms are getting spread more and more. Your friend's pc might be compromised and used for spreading the worm itself. One needs to be very careful what links to click these days :angry: .

Dont worry too much regarding the p2peer software. Its a common source for infection and its usage with proprietary work is illegal and thus needs to be pointed out.

Sorry for the delay. With normal weekend stuff and further edu on Saturdays, I am falling behind schedule at times. Not a good excuse, but still thought I d try :angry: to hide my failing in replying in an acceptable time frame.

johannes

Link to post
Share on other sites

Hi Yohi,

I was experiencing further spread of trojans in between the postings here.

Therefore I took some action, after I ran a kaspersky online check and almost fell of my chair when seeing the amount of trojans.

I just had to act immediately.

I removed symatec antivirus 10 network client and also spybot to install kaspersky's one month free trial Virus scanner at let it do it's job.

Then I run online check and as soon as it started scanning windows blue screanned rebooting instantly.

I tried several times over also stopping Kaspersky antivirus first and unloading associated services, but I alwaysgot the same result. Instant death.

Running the first online virus scanner you suggested resulted in the same result as before. Starting off scanning and than at around60-70% just disappearing of the screen.

So I am a little stuck for what to do next.

Regards

Germish

Link to post
Share on other sites

Hi Germish,

I removed symatec antivirus 10 network client and also spybot to install kaspersky's one month free trial Virus scanner at let it do it's job.

Could you post the log it produced? Dont worry about the online scan for now.

Lets do this:

Download MsnCleaner.zip to your Desktop, but don't use it yet.

http://www.forospyware.com/Msncleaner/MsnCleaner.zip

(Copy/Paste the URL into the address bar or use "Save Target As")

  • Extract the content of MsnCleaner.zip to your Desktop.
  • Now reboot into Safe Mode
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post.

Then do these steps:

Update Malwarebytes Antimalware, run it and let it fix all it finds.

Run ComboFix again. When it asks to update itself, let it do so.

Now post back with the MsnCleaner.txt, the MBAM log, and the Combofix log. Thanks!

Link to post
Share on other sites

Hi Germish,

no problem. Kindly check if you can locate the following logs:

C:\MsnCleaner.txt

C:\ComboFix.txt

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

It didn't reallyproduce any particular single log put an aray of various things that I am completely lost which one to post.

Not sure what you mean with "aray of various things."

Johannes

Link to post
Share on other sites

Hallo Johannes,

With Christmas pending, everybody has now little time, and my PC and Laptop now out of order or at least out of secure use for almost 4 weeks, I have made the decission to buy a commercial package which claims to get rid of these Trojans.

I have purchased Spyware Detector 2009 by Max Secure and ran it on both laptop and desktop and both machines appear to be clean now.

I want to thank you very much for your help and I am sorry if I have messed you around through the later phase of your kind efforts of helping me.

It just started that it was getting taunting and I just wanted to put a quick end to it without the need to reformat.

I wish you "Frohe Weihnachten und ein gutes Neues Jahr" with not to many new viruses. :)

Kind Regards

Germish

Link to post
Share on other sites

Hi Germish,

sorry for this very late reply. Lots of things been happening over the long weekend. I see you solved your problems with some new software. Good to see that it worked out for you this way. Let me just give you a few things on the way to keep you away from malware in the future :).

Please navigate to: Start >> Run... and type Combofix /u and hit Enter. Thanks.

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:

I recommend you regularly visit the Windows Update Site!

  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! thumb.gif
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:

  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atl east one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      HostsXpert_update.png

    5. Click the X to exit the program.
    6. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


      Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:
      Simple and easy ways to keep your computer safe and secure on the Internet
      Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!
      Thanks and merry christmas. Johannes
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.