Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
More Infected Than Expected... More Infected Than Expected...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 12-26-2007, 12:33 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


More Infected Than Expected...
Hello,

Thanks for checking this post out. I'm a new member but have looked through the advice of the forum in the past. Seems I am in worse shape than I first thought. Below is my Panda ActiveScan followed by my DSS scan.

WinXP Pro SP2, all MS Updates installed.

Any help is greatly appreciated!

-Eric

Activescan.txt:


Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@64.62.232[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@hotlog[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@i.screensavers[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@klik.klikadvertising[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@weborama[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www48.seeq[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@yadro[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache\DD0DBD66d01[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache\E7AC0CAAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache\E7AC0CAAd01[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache(2)\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache(2)\7ED6F4AAd01[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z50p1efp.default\Cache(2)\DD0DBD66d01[SDFix\apps\Process.exe]
Virus:Generic Malware Disinfected C:\Program Files\Games\GameSpy Arcade\Services\_common\PortraitLoader.dll
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\qomlkkh.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\winmmt32(2).dll
Virus:Generic Malware Not disinfected G:\Laptop\SWSetup\olkint.msi[unk_0058][ieatgpc.dll]
DSS Scan Text:

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-12-26 14:32:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:47 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120867063573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165351215263
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7609 bytes

-- Files created between 2007-11-26 and 2007-12-26 -----------------------------

2007-12-26 13:55:50 0 d-------- C:\Program Files\SpywareBlaster
2007-12-26 12:27:19 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-26 12:24:33 8576 --a------ C:\WINDOWS\system32\drivers\nlygqbnxinwd.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-26 1246 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 11:56:16 0 d-------- C:\Program Files\Trend Micro
2007-12-26 03:50:21 0 d-------- C:\WINDOWS\ERUNT
2007-12-26 01:31:33 0 d-------- C:\Program Files\Symantec
2007-12-26 01:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-26 01:31:30 0 d-------- C:\Program Files\Symantec_Client_Security
2007-12-26 01:31:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-26 0149 0 d-------- C:\Program Files\Lavasoft
2007-12-26 0147 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 00:59:09 0 --a------ C:\Install
2007-12-26 00:59:04 0 d-------- C:\WINDOWS\ppqvmpqr
2007-12-26 00:58:57 23040 --a------ C:\WINDOWS\system32\winmmt32(2).dll
2007-12-26 00:55:18 0 d-------- C:\Program Files\SmartFTP Client
2007-12-26 00:55:13 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-26 00:55:13 4194304 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2007-12-26 00:55:01 0 d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-26 00:54:46 120832 -----n--- C:\WINDOWS\system32\ShnDll32.dll
2007-12-26 00:54:46 528384 -----n--- C:\WINDOWS\system32\BladeEnc.dll
2007-12-26 00:54:36 0 d-------- C:\Program Files\Audio Utilities


-- Find3M Report ---------------------------------------------------------------

2007-12-26 13:08:09 0 d-------- C:\Program Files\QuickTime
2007-12-26 13:04:24 0 d-------- C:\Program Files\iTunes
2007-12-26 01:31:30 0 d-------- C:\Program Files\Common Files
2007-11-20 22:25:46 0 d-------- C:\Program Files\iPod
2007-11-20 22:24:00 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe" [12/30/2003 04:44 AM]
"SoundMan"="SOUNDMAN.EXE" [02/26/2004 03:53 AM C:\WINDOWS\SOUNDMAN.EXE]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 02:06 AM C:\WINDOWS\system32\ptipbmf.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07/25/2005 05:01 AM]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [02/14/2006 11:31 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [07/19/2005 10:05 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [07/22/2005 11:25 PM C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [11/14/2007 11:43 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 11:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 11:18 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 7:44:06 AM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [1/25/2007 12:20:32 PM]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2/28/2005 4:37:05 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [8/3/2007 11:10:00 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-12-26 14:33:03 ------------

Thank you again for your help,

-Eric
ezerneke is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 12:39 PM   #2 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


Re: More Infected Than Expected...
Also wanted to give symptom information: originally saw install.exe and other files appear on my desktop and my machine rebooted automatically; IE started trying to pop up windows and was crashing repeatedly, two audio sales "pop-up" messages came through IE. I installed my virus protection program Symantec Antivirus and tried to have some of the malware isolated and quarantined. Doesn't look like it was able to get more than a few of the files. I also ran AdAware to get rid of anything it saw and what follows is the remainder as I follow the advice in the locked posts here in the forum.

Thank you again for any help.

-Eric
ezerneke is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 04:31 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


Re: More Infected Than Expected...
More information that may help given your experience. If there is something else I can provide, please let me know. The main culprit seems to be Trojan.Dropper but there are quite a few files around.

More information that may help - these were found by Symantec AntiVirus and were quarantined while two of the A00 files were cleaned. I keep getting Realtime protection scan alerts for Trojan.Dropper on files such as A0030932.exe. Here are the files listed in Symantec:

16server.exe
svlook.exe
synmon.exe
win5E.exe
smss[1].exe
spoolsv[1].exe
spoolsv.exe
gebaaab.dll
xpupdate.exe

and various A0030XXX.exe or .dll files (about 10)

Thank you in advance for any assistance.

-Eric
ezerneke is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 07:12 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: More Infected Than Expected...
Hello Eric, and welcome.

I see you've also used ComboFix. Was that a recent run? If so, please post the C:\ComboFix.txt for review as well.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 08:01 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


Re: More Infected Than Expected...
Hi Ried,

Thank you for the response. I have included the ComboFix log for your review. Thank you again for your help.

-Eric

ComboFix 07-12-26.3 - Administrator 2007-12-26 21:42:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1685 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 13:55 . 2007-12-26 13:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-26 12:27 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-26 12:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\nlygqbnxinwd.sys
2007-12-26 12:06 . 2007-12-26 13:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 12:06 . 2007-12-26 12:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-26 12:06 . 2007-12-26 12:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-26 12:06 . 2007-12-26 12:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-26 11:56 . 2007-12-26 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-26 11:54 . 2007-12-26 11:54 <DIR> d-------- C:\Deckard
2007-12-26 04:06 . 2007-12-26 04:06 0 --a------ C:\WINDOWS\VPC32.INI
2007-12-26 03:50 . 2007-12-26 03:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 03:14 . 2007-12-26 03:13 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2007-12-26 03:14 . 2007-12-26 03:13 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 03:14 . 2007-12-26 03:13 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 01:31 . 2007-12-26 01:31 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-12-26 01:31 . 2007-12-26 03:14 <DIR> d-------- C:\Program Files\Symantec
2007-12-26 01:31 . 2007-12-26 03:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-26 01:31 . 2007-12-26 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-26 01:06 . 2007-12-26 01:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-26 01:06 . 2007-12-26 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 00:59 . 2007-12-26 00:59 <DIR> d-------- C:\WINDOWS\ppqvmpqr
2007-12-26 00:59 . 2007-12-26 00:59 0 --a------ C:\Install
2007-12-26 00:58 . 2007-12-26 00:58 23,040 --a------ C:\WINDOWS\system32\winmmt32(2).dll
2007-12-26 00:55 . 2007-12-26 01:10 <DIR> d-------- C:\temp\Utilities
2007-12-26 00:55 . 2007-12-26 00:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-26 00:55 . 2007-12-26 03:04 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-12-26 00:54 . 2007-12-26 00:54 <DIR> d-------- C:\Program Files\Audio Utilities
2007-12-26 00:54 . 2000-01-11 16:46 528,384 --------- C:\WINDOWS\system32\BladeEnc.dll
2007-12-26 00:54 . 1997-07-15 10:30 120,832 --------- C:\WINDOWS\system32\ShnDll32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:08 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:04 --------- d-----w C:\Program Files\iTunes
2007-12-15 23:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-15 23:26 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-21 03:25 --------- d-----w C:\Program Files\iPod
2007-11-21 03:24 --------- d-----w C:\Program Files\Apple Software Update
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe" [2003-12-30 04:44]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 03:53 C:\WINDOWS\SOUNDMAN.EXE]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 02:06 C:\WINDOWS\system32\ptipbmf.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 05:01]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2006-02-14 23:31]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 03:56 C:\WINDOWS\system32\rundll32.exe]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-07-19 10:05]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-25 12:20:32]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2005-02-28 16:37:05]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00]

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-02-14 23:29]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 22:22]
R1 AmdPPM;AMD HwPState Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 21:46]
R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 03:47]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2004-04-14 11:08]
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2004-04-14 11:08]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2004-04-14 11:08]
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-02-14 22:17]
S3 iLokDrvr;iLok;C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys [2005-12-21 15:59]
S3 SaiH0006;SaiH0006;C:\WINDOWS\system32\DRIVERS\SaiH0006.sys [2004-07-26 14:54]
S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 12:25]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2004-04-14 11:08]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 01:46:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 21:43:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2007-12-26 21:43:33
C:\ComboFix2.txt ... 2007-12-26 21:42
C:\ComboFix3.txt ... 2007-12-26 04:08
ezerneke is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 08:21 PM   #6 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


Re: More Infected Than Expected...
Ried,

I just realized there are more than one combofix text files from me running them. Should I delete any and run a full clean scan or include all of them here?

-eric
ezerneke is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 08:58 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: More Infected Than Expected...
Hi Eric,

No...that's fine, leave all those there. I'll have a reply for your shortly.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-26-2007, 09:07 PM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista


Re: More Infected Than Expected...
Ok Eric, let's take care of the remaining junk.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\winmmt32(2).dll

Folder::
C:\WINDOWS\ppqvmpqr
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-27-2007, 12:09 PM   #9 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: xp


Re: More Infected Than Expected...
Ried,

Thank you for the directions. I have followed them as you have outlined and the log files are attached - ComboFix.txt, kasperskyResults.txt, and hijackthis.txt.

The behavior of the machine is relatively ok, in that I am not getting pop-ups currently and no audio ads coming through, but IE is extremely extremely slow before opening up any sites. I haven't done anything else on the machine to make sure I'm not propogating the viruses by my actions.

Thank you again Ried for your help,

-Eric

ComboFix 07-12-26.3 - Administrator 2007-12-27 11:15:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1707 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\winmmt32(2).dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\system32\winmmt32(2).dll

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 13:55 . 2007-12-26 13:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-26 12:27 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-26 12:24 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\nlygqbnxinwd.sys
2007-12-26 12:06 . 2007-12-26 13:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 12:06 . 2007-12-26 12:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-26 12:06 . 2007-12-26 12:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-26 12:06 . 2007-12-26 12:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-26 11:56 . 2007-12-26 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-26 11:54 . 2007-12-26 11:54 <DIR> d-------- C:\Deckard
2007-12-26 04:06 . 2007-12-26 04:06 0 --a------ C:\WINDOWS\VPC32.INI
2007-12-26 03:50 . 2007-12-26 03:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 03:14 . 2007-12-26 03:13 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2007-12-26 03:14 . 2007-12-26 03:13 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 03:14 . 2007-12-26 03:13 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 01:31 . 2007-12-26 01:31 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-12-26 01:31 . 2007-12-26 03:14 <DIR> d-------- C:\Program Files\Symantec
2007-12-26 01:31 . 2007-12-26 03:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-26 01:31 . 2007-12-26 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-26 01:06 . 2007-12-26 01:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-26 01:06 . 2007-12-26 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 00:55 . 2007-12-26 01:10 <DIR> d-------- C:\temp\Utilities
2007-12-26 00:55 . 2007-12-26 00:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-26 00:55 . 2007-12-26 03:04 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-12-26 00:54 . 2007-12-26 00:54 <DIR> d-------- C:\Program Files\Audio Utilities
2007-12-26 00:54 . 2000-01-11 16:46 528,384 --------- C:\WINDOWS\system32\BladeEnc.dll
2007-12-26 00:54 . 1997-07-15 10:30 120,832 --------- C:\WINDOWS\system32\ShnDll32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 18:08 --------- d-----w C:\Program Files\QuickTime
2007-12-26 18:04 --------- d-----w C:\Program Files\iTunes
2007-12-15 23:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-15 23:26 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-21 03:25 --------- d-----w C:\Program Files\iPod
2007-11-21 03:24 --------- d-----w C:\Program Files\Apple Software Update
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe" [2003-12-30 04:44]
"SoundMan"="