Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
I think my computer is infected... I think my computer is infected...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-24-2008, 05:37 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: Windows XP SP2


I think my computer is infected...
Hi friendly peoples, this is my first post here, so please go gentle on me ;P

I think it all first began with me allowing an unknown .dll to run as an app or allowing an unknown registry entry to be added (Yeah, I don't know what I was thinking at that time).
Anyway, I think it installed a trojan and after that downloaded virtumonde virus (which my spybot picked up, seemed to remove, but it kept installing anyway).
So then I downloaded malwarebytes and troubles seemed to be gone, but alas, time to time my nod32 picked up various viruses (always on access scan method, never on demand).

I'll post some pics to clarify some of the errors / registry entries I didn't trust.

Spybot - I think this is the value that caused trouble (deleted on screen):



Spybot virtumonde scan result:



Spybot after malwarebytes:



And things after reboot:

NOD32:








HijackThis log ---> next post
spyscraper is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-24-2008, 05:43 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: Windows XP SP2


Re: I think my computer is infected...
the HJT log:
------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:43:54, on 24-Jun-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sndvol32.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAMS\FireFox\firefox.exe
D:\PROGRAMS\! Maintenance & Security\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "E:\GAMEZ\STEAM\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7384 bytes


------------------
Thanks very much in advance :)
spyscraper is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-27-2008, 01:54 PM   #3 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,727
OS: XP


Re: I think my computer is infected...
Hi, welcome to tsf!

Sorry for the delay.

If you still need assistance, please post a fresh hijackthis log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-06-2008, 10:20 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: Windows XP SP2


Re: I think my computer is infected...
Quote:
Originally Posted by Angelfire777 View Post
Hi, welcome to tsf!

Sorry for the delay.

If you still need assistance, please post a fresh hijackthis log
Hi, I'm also sorry for my late reply, so I guess it makes even lol :P

anyway, as you requested:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:54, on 06-Jul-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
D:\PROGRAMS\FireFox\firefox.exe
C:\WINDOWS\system32\sndvol32.exe
D:\PROGRAMS\DAEMON Tools\daemon.exe
D:\PROGRAMS\! Maintenance & Security\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\PROGRAMS\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7357 bytes
spyscraper is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-09-2008, 06:43 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: Windows XP SP2


Re: I think my computer is infected...
bumpey?
spyscraper is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-10-2008, 09:42 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,526
OS: 2000 Pro; XP Pro; XP Home


Re: I think my computer is infected...
Hi, and sorry once again for the delay. Angelfire777 seems to be having some issues with the internet connections.

Since it's been a few days, and in the case you're not receiving help elsewhere, I'd like a new set of logs. I'm subscribed to this thread, and would be immediately notified of your reply. We can begin when I see the next logs....

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-13-2008, 07:04 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: Windows XP SP2


Re: I think my computer is infected...
Thanks tetonbob for your time and effort :)

Also, I'm going on a vacation for 2 weeks, so I'm not sure whether I'm gonna get some inet connection somewhere, so take your time :)


Here you go sir:


(I have to note that after the scanning, some virus / trojan alerts popped up via my Nod32 antivirus, some was virtumonde and others I can't remember, I will make a post of my NOD32 log if you'd want?)




Deckard's System Scanner v20071014.68
Run by ((( ~ ))) on 2008-07-14 03:50:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
61: 2008-07-14 01:50:40 UTC - RP61 - Deckard's System Scanner Restore Point
60: 2008-07-13 21:31:13 UTC - RP60 - Installed Blowfish Advanced CS
59: 2008-07-10 18:24:06 UTC - RP59 - System Checkpoint
58: 2008-07-09 12:41:16 UTC - RP58 - Software Distribution Service 3.0
57: 2008-07-08 14:22:51 UTC - RP57 - System Checkpoint


-- First Restore Point --
1: 2008-05-23 22:51:58 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as ((( ~ ))).exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:52:07, on 14-Jul-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\PROGRAMS\! Maintenance & Security\Deckard's System Scanner\dss.exe
D:\PROGRAMS\!MAINT~1\HIJACK~1\((( ~ ))).exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\PROGRAMS\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7444 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Alcohol - c:\windows\system32\drivers\alcohol.sys
R0 AlcoholM - c:\windows\system32\drivers\alcoholm.sys
R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 musbehco - c:\docume~1\(((~))~1\locals~1\temp\musbehco.sys (file missing)
S3 NvnUsbAudio (Novation USB Audio Driver) - c:\windows\system32\drivers\nvnusbaudio.sys <Not Verified; Novation DMS Ltd.; Novation USB Audio Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 ekrn (Eset Service) - "c:\program files\eset\eset smart security\ekrn.exe" <Not Verified; ESET; ESET Smart Security>
R2 o2flash (O2Micro Flash Memory Card Service) - "c:\program files\o2micro\o2flash.exe" <Not Verified; O2Micro International; O2 MS1/MP1 Service>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - d:\programs\intel wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - d:\programs\intel wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 82566MC Gigabit Network Connection
Device ID: PCI\VEN_8086&DEV_104D&SUBSYS_14021A46&REV_03\3&B1BFB68&0&C8
Manufacturer: Intel
Name: Intel(R) 82566MC Gigabit Network Connection
PNP Device ID: PCI\VEN_8086&DEV_104D&SUBSYS_14021A46&REV_03\3&B1BFB68&0&C8
Service: e1express

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: USB 2.0 Image Capture Controller
Device ID: USB\VID_05E1&PID_0501\5&43F8BF9&0&3
Manufacturer:
Name: USB 2.0 Image Capture Controller
PNP Device ID: USB\VID_05E1&PID_0501\5&43F8BF9&0&3
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Memory Controller
Device ID: PCI\VEN_8086&DEV_444E&SUBSYS_444E8086&REV_01\4&227633DA&0&00E2
Manufacturer:
Name: PCI Memory Controller
PNP Device ID: PCI\VEN_8086&DEV_444E&SUBSYS_444E8086&REV_01\4&227633DA&0&00E2
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ACPIHIDMAPPER\5&15D725F4&0
Manufacturer:
Name:
PNP Device ID: ACPI\ACPIHIDMAPPER\5&15D725F4&0
Service:


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-13 20:51:41 0 dr-h----- C:\Documents and Settings\((( ~ )))\Recent
2008-07-09 14:46:50 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-07 20:35:33 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-04 01:10:34 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-28 01:47:53 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Thinstall
2008-06-24 21:16:50 0 d-------- C:\Program Files\uTorrent
2008-06-24 21:16:45 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\uTorrent
2008-06-24 03:01:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 01:17:26 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\OpenArena
2008-06-24 01:07:38 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-06-19 17:56:30 0 d-------- C:\Documents and Settings\((( ~ )))\Contacts
2008-06-18 18:09:28 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 18:08:58 0 d-------- C:\Program Files\Windows Live
2008-06-18 18:08:48 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-15 21:18:28 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Malwarebytes
2008-06-15 21:18:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 17:33:37 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2008-07-09 14:46:50 0 d-------- C:\Program Files\Common Files
2008-07-05 19:56:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-15 21:41:44 673 --ahs---- C:\WINDOWS\system32\TCfhkUvw.ini2
2008-06-15 21:38:42 100864 -----n--- C:\WINDOWS\system32\sbwjdprc.dll
2008-06-11 01:15:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-11 00:26:06 109056 --a------ C:\WINDOWS\system32\garmmvrh.dll
2008-06-11 00:25:57 100864 --a------ C:\WINDOWS\system32\crjgkahn.dll
2008-06-09 20:00:49 109056 --a------ C:\WINDOWS\system32\gmdgqkdg.dll
2008-06-09 15:29:06 108544 --a------ C:\WINDOWS\system32\mgeinfmf.dll
2008-06-07 04:43:38 108544 --a------ C:\WINDOWS\system32\kfnohvli.dll
2008-06-01 22:52:28 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Ableton
2008-06-01 00:13:45 0 d-------- C:\Program Files\Sierra On-Line
2008-05-29 23:37:30 893 --ahs---- C:\WINDOWS\system32\poUtDJjl.ini2
2008-05-27 12:58:34 277754 --ahs---- C:\WINDOWS\system32\sAaKQXyb.ini2
2008-05-26 23:57:43 292596 --ahs---- C:\WINDOWS\system32\BbHklUvw.ini2
2008-05-23 18:21:33 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Apple Computer
2008-05-23 18:03:14 0 d-------- C:\Program Files\iPod
2008-05-23 18:02:58 0 d-------- C:\Program Files\Bonjour
2008-05-23 18:01:40 0 d-------- C:\Program Files\Apple Software Update
2008-05-23 18:01:04 0 d-------- C:\Program Files\Common Files\Apple
2008-05-18 12:58:06 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-18 12:55:05 16407 --a------ C:\WINDOWS\DIIUnin.dat
2008-05-18 12:49:14 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-05-18 12:49:13 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-05-18 12:49:13 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-05-18 12:48:22 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-05-18 12:48:22 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-05-17 23:41:36 47104 --a------ C:\WINDOWS\system32\KMVIDC32.DLL
2008-05-17 23:40:43 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Sony
2008-05-17 23:40:36 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Publish Providers
2008-05-17 23:40:36 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\NetMedia Providers
2008-05-17 12:37:11 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\DAEMON Tools Pro
2008-05-15 20:13:55 0 d-------- C:\Program Files\MSXML 6.0
2008-05-15 19:56:46 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Macromedia
2008-05-15 19:56:46 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Adobe
2008-05-15 19:56:44 1216 --a------ C:\WINDOWS\mozver.dat
2008-05-15 18:35:24 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Talkback
2008-05-15 18:35:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-15 18:35:09 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Mozilla
2008-05-14 23:37:25 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Acronis
2008-05-14 23:27:36 0 d-------- C:\Program Files\Common Files\Acronis
2008-05-07 13:01:51 356352 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>
2008-05-06 02:18:58 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-05-06 02:04:47 62 --ahs---- C:\Documents and Settings\((( ~ )))\Application Data\desktop.ini
2008-05-06 01:00:54 0 -rahs---- C:\MSDOS.SYS
2008-05-06 01:00:54 0 -rahs---- C:\IO.SYS
2008-05-06 01:00:54 0 --a------ C:\CONFIG.SYS
2008-05-06 01:00:54 0 --a------ C:\AUTOEXEC.BAT
2008-05-06 00:58:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{034B6926-3FF4-46E1-B2DA-6727D1662C18}]
C:\WINDOWS\system32\wvUlkHbB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60fe7675-e5f2-4f46-a93c-19c2daa15259}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622B25AE-27A3-4121-B930-76FAEFF9FC5B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8EDC5E4-EEBA-497D-B0CF-218296CC10EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2D02400-0183-42FD-BEE0-D3475DDC4521}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3068B4F-6EF3-4EC6-BDED-7BA10306CB49}]
C:\WINDOWS\system32\byXQKaAs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [25-Jun-07 23:39]
"nwiz"="nwiz.exe" [25-Jun-07 23:39 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [25-Jun-07 23:39 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [20-Dec-07 16:47 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03-May-05 18:43 C:\WINDOWS\Alcmtr.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [13-Jul-07 13:32]
"IntelZeroConfig"="D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe" [16-Apr-07 11:24]
"IntelWireless"="D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" [16-Apr-07 11:22]
"WinampAgent"="D:\PROGRAMS\! Audio\WinAMP\winampa.exe" []
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [13-Mar-08 16:48]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"TrueImageMonitor.exe"="D:\PROGRAMS\Acronis\TrueImageMonitor.exe" [30-Oct-07 20:06]
"AcronisTimounterMonitor"="D:\PROGRAMS\Acronis\TimounterMonitor.exe" [30-Oct-07 20:11]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [30-Oct-07 20:07]
"QuickTime Task"="D:\PROGRAMS\QuickTime\QTTask.exe" [28-Mar-08 23:37]
"iTunesHelper"="D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe" [30-Mar-08 10:36]
"Process XP"="D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe" [22-Feb-06 16:31]
"Speedfan"="D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe" [22-Apr-08 09:59]
"DAEMON Tools"="D:\PROGRAMS\DAEMON Tools\daemon.exe" [14-Sep-06 22:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-Aug-04 14:00]
"SpybotSD TeaTimer"="D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe" [28-Jan-08 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoInstrumentation"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoInstrumentation"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUlKDW]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
D:\PROGRAMS\! Monitoring

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"8c7815f9"=rundll32.exe "C:\WINDOWS\system32\qbcdtlso.dll",b
"BM8f4b2665"=Rundll32.exe "C:\WINDOWS\system32\hbmeimiy.dll",s


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a3f7257-4a92-11dd-a016-0013e8157e33}]
AutoRun\command- Q:\autorun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-14 03:52:34 ------------

Thanks again!
Attached Files
File Type: txt extra.txt (15.4 KB, 2 views)
Last edited by tetonbob : 07-14-2008 at 07:30 AM. Reason: remvoed quote tags, makes logs harder to read
spyscraper is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-14-2008, 07:39 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,526
OS: 2000 Pro; XP Pro; XP Home


Re: I think my computer is infected...
It doesn't appear as though your Vundo infection is active.


S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • See this link for a tutorial

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\


Close HijackThis now.

---------------------------------------------------------------------------------------------

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

C:\WINDOWS\system32\TCfhkUvw.ini2
C:\WINDOWS\system32\sbwjdprc.dll
C:\WINDOWS\system32\garmmvrh.dll
C:\WINDOWS\system32\crjgkahn.dll
C:\WINDOWS\system32\gmdgqkdg.dll
C:\WINDOWS\system32\mgeinfmf.dll
C:\WINDOWS\system32\kfnohvli.dll
C:\WINDOWS\system32\poUtDJjl.ini2
C:\WINDOWS\system32\sAaKQXyb.ini2
C:\WINDOWS\system32\BbHklUvw.ini2

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

---------------------------------------------------------------------------------------------

Run DSS once again, and post it's log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:38 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82