Tech Support Forum - View Single Post

andrew.bennett · 08-07-2007, 12:51 PM

can't use the online scanner, keep clicking on the accept button with no resolve. until i get that rolling here is the hijack this and Combo Fix Log

ComboFix 07-08-07.6 - "MailRoom" 2007-08-07 14:37:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT -4:00]
Command switches used :: C:\Documents and Settings\MailRoom\Desktop\CFScript.txt

FILE::
C:\WINDOWS\SYSTEM32\qvvkojjr.dll
C:\WINDOWS\lprgmuwA.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Viewpoint
C:\Program Files\Viewpoint
C:\VundoFix Backups
C:\VundoFix Backups\ijkmp.bak1.bad
C:\VundoFix Backups\ijkmp.bak2.bad
C:\VundoFix Backups\ijkmp.ini.bad
C:\VundoFix Backups\ijkmp.ini2.bad
C:\VundoFix Backups\ijkmp.tmp.bad
C:\VundoFix Backups\pmkji.dll.bad
C:\WINDOWS\lprgmuwA.exe
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{54A121BA-E7F5-48DD-822A-5C3A3669503C}.exe
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{D87073CC-BF85-4236-BA96-C2DF15A91CCD}.exe
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{E16923C3-DBD2-4CC7-8E4D-355D5B3D3F22}.exe
C:\WINDOWS\SYSTEM32\qvvkojjr.dll

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-07 12:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 10:25 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-07 10:24 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-06 12:28 1,165 --a------ C:\WINDOWS\mozver.dat
2007-08-06 10:14 <DIR> d-------- C:\WINDOWS\CSC
2007-08-03 10:54 <DIR> d-------- C:\DOCUME~1\MailRoom\APPLIC~1\MSNInstaller
2007-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-02 16:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-02 12:59 22,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys
2007-08-02 11:56 <DIR> d-------- C:\Program Files\Norton 360
2007-08-02 11:54 48,776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-02 11:54 115,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-08-02 11:53 <DIR> d-------- C:\Program Files\Symantec
2007-08-02 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-02 11:47 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-02 08:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-02 08:56 <DIR> d-------- C:\Program Files\Google
2007-08-02 08:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-01 10:58 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-08-01 10:38 <DIR> d-------- C:\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 10:28 --------- d-------- C:\Program Files\Windows NT
2007-08-06 10:27 --------- d-------- C:\Program Files\Time Clock MTS
2007-08-02 15:41 --------- d-------- C:\DOCUME~1\MailRoom\APPLIC~1\Symantec
2007-08-02 12:00 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-02 12:00 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-02 08:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-17 12:21 186256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-19 14:45]
"lprgmuwA"="C:\WINDOWS\lprgmuwA.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

C:\Documents and Settings\MailRoom\Start Menu\Programs\Startup\
ARS Prepaid.url [2005-09-16 15:23:27]
DESKTOP.INI [2004-08-11 19:15:06]
RCSSMain.lnk - C:\UPS\RCSS\RCSSMain.mdb [2005-10-06 15:43:08]
UPS WorldShip (2).lnk - C:\UPS\UOWS\ShipUps.exe [2007-01-16 11:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-11 19:15:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-02-10 00:31:11]
RCSSMain.lnk - C:\UPS\RCSS\RCSSMain.mdb [2005-10-06 15:43:08]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\UOWS\PldReminder.exe [2007-01-16 11:16:50]

R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S2 Nbf;NetBEUI Protocol;C:\WINDOWS\system32\DRIVERS\nbf.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-07 17:39:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 14:39:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 14:42:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 14:42
C:\ComboFix2.txt ... 2007-08-07 13:45

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 2:49:31 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\MailRoom\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ARS Prepaid.url
O4 - Startup: RCSSMain.lnk = C:\UPS\RCSS\RCSSMain.mdb
O4 - Startup: UPS WorldShip (2).lnk = UOWS\ShipUps.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: RCSSMain.lnk = C:\UPS\RCSS\RCSSMain.mdb
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = UOWS\PldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

08-07-2007, 12:51 PM	#10 (permalink)
andrew.bennett Registered User Join Date: Aug 2007 Posts: 12 OS: Win XP	Re: Problems with Trojan: Win32/Virtumonde.0 can't use the online scanner, keep clicking on the accept button with no resolve. until i get that rolling here is the hijack this and Combo Fix Log ComboFix 07-08-07.6 - "MailRoom" 2007-08-07 14:37:04.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT -4:00] Command switches used :: C:\Documents and Settings\MailRoom\Desktop\CFScript.txt FILE:: C:\WINDOWS\SYSTEM32\qvvkojjr.dll C:\WINDOWS\lprgmuwA.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Viewpoint C:\Program Files\Viewpoint C:\VundoFix Backups C:\VundoFix Backups\ijkmp.bak1.bad C:\VundoFix Backups\ijkmp.bak2.bad C:\VundoFix Backups\ijkmp.ini.bad C:\VundoFix Backups\ijkmp.ini2.bad C:\VundoFix Backups\ijkmp.tmp.bad C:\VundoFix Backups\pmkji.dll.bad C:\WINDOWS\lprgmuwA.exe C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{54A121BA-E7F5-48DD-822A-5C3A3669503C}.exe C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{D87073CC-BF85-4236-BA96-C2DF15A91CCD}.exe C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{E16923C3-DBD2-4CC7-8E4D-355D5B3D3F22}.exe C:\WINDOWS\SYSTEM32\qvvkojjr.dll ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-07 12:53 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-07 10:25 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-08-07 10:24 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll 2007-08-06 12:28 1,165 --a------ C:\WINDOWS\mozver.dat 2007-08-06 10:14 <DIR> d-------- C:\WINDOWS\CSC 2007-08-03 10:54 <DIR> d-------- C:\DOCUME~1\MailRoom\APPLIC~1\MSNInstaller 2007-08-02 16:55 <DIR> d-------- C:\Program Files\Windows Defender 2007-08-02 16:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-08-02 12:59 22,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys 2007-08-02 11:56 <DIR> d-------- C:\Program Files\Norton 360 2007-08-02 11:54 48,776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2007-08-02 11:54 115,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS 2007-08-02 11:53 <DIR> d-------- C:\Program Files\Symantec 2007-08-02 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-08-02 11:47 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-02 08:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip 2007-08-02 08:56 <DIR> d-------- C:\Program Files\Google 2007-08-02 08:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-08-01 10:58 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2007-08-01 10:38 <DIR> d-------- C:\Temp (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-06 10:28 --------- d-------- C:\Program Files\Windows NT 2007-08-06 10:27 --------- d-------- C:\Program Files\Time Clock MTS 2007-08-02 15:41 --------- d-------- C:\DOCUME~1\MailRoom\APPLIC~1\Symantec 2007-08-02 12:00 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-08-02 12:00 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-08-02 08:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-17 12:21 186256 --a------ C:\WINDOWS\system32\SymNPPWA.dll 2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-19 14:45] "lprgmuwA"="C:\WINDOWS\lprgmuwA.exe" [] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00] C:\Documents and Settings\MailRoom\Start Menu\Programs\Startup\ ARS Prepaid.url [2005-09-16 15:23:27] DESKTOP.INI [2004-08-11 19:15:06] RCSSMain.lnk - C:\UPS\RCSS\RCSSMain.mdb [2005-10-06 15:43:08] UPS WorldShip (2).lnk - C:\UPS\UOWS\ShipUps.exe [2007-01-16 11:16:50] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ DESKTOP.INI [2004-08-11 19:15:06] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-02-10 00:31:11] RCSSMain.lnk - C:\UPS\RCSS\RCSSMain.mdb [2005-10-06 15:43:08] UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\UOWS\PldReminder.exe [2007-01-16 11:16:50] R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys R3 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys S2 Nbf;NetBEUI Protocol;C:\WINDOWS\system32\DRIVERS\nbf.sys S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc Newly Created Service - COMHOST Contents of the 'Scheduled Tasks' folder 2007-08-07 17:39:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-07 14:39:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-07 14:42:42 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-07 14:42 C:\ComboFix2.txt ... 2007-08-07 13:45 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 2:49:31 PM, on 8/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\basfipm.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\MailRoom\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: ARS Prepaid.url O4 - Startup: RCSSMain.lnk = C:\UPS\RCSS\RCSSMain.mdb O4 - Startup: UPS WorldShip (2).lnk = UOWS\ShipUps.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: RCSSMain.lnk = C:\UPS\RCSS\RCSSMain.mdb O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = UOWS\PldReminder.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe