Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page please help - infected machines #1
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-30-2007, 12:29 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 7
OS: XP


please help - infected machines #1
we have 3 PC's at home, 2 desktops and a laptop, all running Win XP Pro SP2, Symantec AV and Zone Labs firewall.
one desktop started running real slow, I suspect after a program download from eMule.
Symantec AVC keeps alerting on Vundo, Trojan Low Zone and Trojan Dropper
Looking at the autoruns I saw several malware files, such as mgrs.exe, tuvurss.dll and ssqrq.dll.

Any help will be greatly appreciated, sine my Symantec AV , Adware SE and Spybot cannot clean these attacks.
I followed the 5 initial Steps recommended on your site, here are the results:

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:01:41, on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\avp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\downloads\HiJackThis_v2.exe
C:\WINDOWS\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6B3DBEF4-0282-416A-B4E9-6AD8BA7D8AA4} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - C:\WINDOWS\system32\tuvussr.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
O20 - Winlogon Notify: tuvussr - C:\WINDOWS\SYSTEM32\tuvussr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7233 bytes



Panda Activescan log


Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\user\Cookies\user@mysearch[2].txt
Virus:Malware Generic Disinfected C:\Documents and Settings\user\Desktop\install.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\user\Local Settings\Temp\NeroDemo12547\Toolbar.exe
Dialer:Dialer.KHJ Not disinfected C:\Documents and Settings\user\Local Settings\Temp\win2AC.tmp.exe
Virus:Trj/Downloader.OCO Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTOXYLKT\Nero_7.8.5.0_Premium_keygen[1].exe[crack.exe]
Virus:Malware Generic Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTOXYLKT\Nero_7.8.5.0_Premium_keygen[1].exe[install.exe]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL
Virus:Malware Generic Disinfected C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe[Toolbar.exe]
Virus:Malware Generic Disinfected D:\temp\install.exe
Virus:Trj/Downloader.OCO Not disinfected D:\temp\Nero_7.8.5.0_Premium_keygen.exe[crack.exe]
Virus:Malware Generic Not disinfected D:\temp\Nero_7.8.5.0_Premium_keygen.exe[install.exe]


Deckard's System Scan log:

Deckard's System Scanner v20070611.50
Run by user on 2007-06-30 at 22:08:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-06-30 20:08:11 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:14:49, on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\avp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\downloads\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HIJACK~1\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\voufgjoj.dll
O2 - BHO: (no name) - {5DC6D427-4A16-4865-BD90-DCB4DF407769} - C:\WINDOWS\system32\ssqrq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O2 - BHO: (no name) - {FB40D31A-B1F8-47EA-BC54-D27DDB475978} - C:\WINDOWS\system32\tuvussr.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\icfohtto.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
O20 - Winlogon Notify: tuvussr - C:\WINDOWS\SYSTEM32\tuvussr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; Bo Brantén; filedisk>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-06-30 18:35:22 264 --ah----- C:\WINDOWS\Tasks\B03EB53497FD26C0.job
2007-06-19 19:56:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-05-30 and 2007-06-30 -----------------------------

2007-06-30 22:08:55 128576 --a------ C:\WINDOWS\system32\icfohtto.dll
2007-06-30 2255 0 d-------- C:\WINDOWS\LastGood
2007-06-30 22:01:18 66112 --a------ C:\WINDOWS\system32\voufgjoj.dll
2007-06-30 21:57:06 920569 ---hs---- C:\WINDOWS\system32\qrqss.bak2
2007-06-30 20:57:21 0 d-------- C:\Program Files\SpywareBlaster
2007-06-30 19:17:08 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-30 18:59:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-06-30 18:59:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-06-30 18:59:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-06-30 18:59:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-06-30 18:59:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-06-30 18:59:22 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-06-30 18:59:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-06-30 18:59:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-06-30 18:59:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-06-30 18:59:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-06-30 18:59:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-06-30 18:59:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-06-30 18:59:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-06-30 18:59:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-06-30 11:56:14 11776 --a------ C:\WINDOWS\mgrs.exe
2007-06-30 11:30:20 77312 --a------ C:\WINDOWS\ua2.dll
2007-06-30 11:03:25 0 d-------- C:\Program Files\Nero
2007-06-30 11:03:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-06-30 11:00:01 0 d-------- C:\Program Files\AskTBar
2007-06-30 10:40:11 0 d-------- C:\WINDOWS\system32\appmgmt
2007-06-30 09:58:33 0 d-------- C:\Documents and Settings\user\Application Data\Ahead
2007-06-30 09:56:57 6369 ---hs---- C:\WINDOWS\system32\qrqss.bak1
2007-06-30 09:56:39 266336 --a------ C:\WINDOWS\system32\ssqrq.dll
2007-06-30 09:51:34 31254 --a------ C:\WINDOWS\system32\jkkjhfc.dll
2007-06-30 09:46:56 31254 --a------ C:\WINDOWS\system32\tuvussr.dll
2007-06-30 09:46:53 56320 --a------ C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe
2007-06-30 09:46:46 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2007-06-30 09:46:44 21504 --a------ C:\WINDOWS\system32\winbug32.dll
2007-06-29 20:28:31 0 d-------- C:\Documents and Settings\user\Application Data\U3
2007-06-29 20:03:47 0 d-------- C:\WINDOWS\Prefetch
2007-06-29 18:40:20 0 d--hs---- C:\WINDOWS\CSC
2007-06-29 17:53:31 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-06-29 17:05:14 0 d-------- C:\b76a1af87dd2b90be1bf687fb745454f
2007-06-29 16:50:52 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:51 171280 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:51 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:51 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2007-06-29 16:50:51 6550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-29 16:50:47 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-06-29 16:50:47 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-06-29 16:50:47 171792 --a------ C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:47 286992 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:46 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:46 947472 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:46 154384 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:45 172304 --a------ C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:45 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:45 404752 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:45 63248 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:45 187152 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:50:43 49424 --a------ C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-06-29 16:48:32 0 d-------- C:\WINDOWS\pss
2007-06-29 16:17:59 0 d-------- C:\WINDOWS\OemDir


-- Find3M Report ---------------------------------------------------------------

2007-06-30 22:05:54 0 d-------- C:\Program Files\Symantec AntiVirus
2007-06-30 21:09:39 49776 --a------ C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-06-30 11:05:30 0 d-------- C:\Program Files\Common Files\Ahead
2007-06-29 20:07:03 0 d-------- C:\Program Files\MSN Messenger
2007-06-29 19:50:42 0 d-------- C:\Program Files\Movie Maker
2007-06-29 19:50:34 0 d-------- C:\Program Files\Windows NT
2007-06-29 17:47:54 0 d-------- C:\Documents and Settings\user\Application Data\knob owns love
2007-06-29 16:28:48 0 d--h----- C:\Program Files\WindowsUpdate
2007-06-29 14:51:28 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 23:59:30 0 d-------- C:\Program Files\eMule
2007-05-21 17:41:13 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-05 19:21:46 574 --a------ C:\Program Files\INSTALL.LOG


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1} C:\WINDOWS\system32\voufgjoj.dll
{5DC6D427-4A16-4865-BD90-DCB4DF407769} C:\WINDOWS\system32\ssqrq.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{b5146c40-189a-4311-bda9-fbae3e023187} C:\Program Files\Multi_Media\tbMult.dll
{D5792AA9-D373-4039-8670-2CDAB6A71F15} C:\Program Files\BitDownload\TorrentManager.dll
{FB40D31A-B1F8-47EA-BC54-D27DDB475978} C:\WINDOWS\system32\tuvussr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Babylon Client"="C:\\Program Files\\Babylon\\Babylon.exe -AutoStart"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"avp"="C:\\WINDOWS\\avp.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"smgr"="mgrs.exe"
"icq.com"="rundll32.exe \"C:\\WINDOWS\\system32\\icfohtto.dll\",forkonce"
"SC2"="C:\\WINDOWS\\system32\\scchk32.exe"
"dedgrqbe.exe"="C:\\Documents and Settings\\All Users\\Application Data\\dedgrqbe.exe"
"CITY FAST SITE THIRD"="C:\\Documents and Settings\\All Users\\Application Data\\Keep option city fast\\dart anti.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"long software"="C:\\DOCUME~1\\user\\APPLIC~1\\KNOBOW~1\\meal heck.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB40D31A-B1F8-47EA-BC54-D27DDB475978}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks\AutorunsDisabled]
"{FB40D31A-B1F8-47EA-BC54-D27DDB475978}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvussr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe -a


-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-06-30 at 22:15:50 ---------

thanks again
Attached Files
File Type: txt extra.txt (7.9 KB, 0 views)
alex___h is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 06-30-2007, 01:04 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: please help - infected machines #1
1. Download & save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-30-2007, 01:47 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 7
OS: XP


Re: please help - infected machines #1
thanks sUBs for the extremely quick reply
here are the logs

Combofix log

"user" - 2007-06-30 23:30:54 - ComboFix 07-07-01 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\icfohtto.dll
C:\WINDOWS\system32\voufgjoj.dll
C:\WINDOWS\system32\jkkjhfc.dll
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\otthofci.ini
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\tuvussr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-30 23:22 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 21:55 <DIR> d-------- C:\Deckard
2007-06-30 20:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-30 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-30 18:59 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 11:30 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-30 11:03 <DIR> d-------- C:\Program Files\Nero
2007-06-30 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-30 11:00 <DIR> d-------- C:\Program Files\AskTBar
2007-06-30 10:40 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-30 09:58 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Ahead
2007-06-30 09:46 56,320 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\dedgrqbe.exe
2007-06-30 09:46 21,504 --a------ C:\WINDOWS\system32\winbug32.dll
2007-06-29 20:28 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\U3
2007-06-29 20:03 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-29 18:40 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-29 17:05 <DIR> d-------- C:\b76a1af87dd2b90be1bf687fb745454f
2007-06-29 16:52 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-29 16:52 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2007-06-29 16:52 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-29 16:50 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-06-29 16:50 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-06-29 16:50 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-29 16:50 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-06-29 16:50 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-06-29 16:50 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-06-29 16:50 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-06-29 16:50 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-06-29 16:50 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-06-29 16:50 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-06-29 16:50 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-06-29 16:50 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-06-29 16:50 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-06-29 16:50 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-06-29 16:50 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-06-29 16:50 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-06-29 16:48 <DIR> d-------- C:\WINDOWS\pss
2007-06-29 16:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-06-29 16:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-06-29 16:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-06-29 16:17 <DIR> d-------- C:\WINDOWS\OemDir
2007-06-29 14:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-06-29 14:52 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-06-29 14:52 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-06-29 14:52 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-06-29 14:52 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-06-29 14:52 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-06-29 14:52 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-06-29 14:52 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-06-29 14:52 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-06-29 14:52 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-06-29 14:52 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-06-29 14:52 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-06-29 14:52 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-06-29 14:52 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-06-29 14:52 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-06-29 14:52 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-06-29 14:52 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-06-29 14:52 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-06-29 14:52 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-06-29 14:52 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-06-29 14:52 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-06-29 14:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-06-29 14:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-06-29 14:51 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2007-06-29 14:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-29 14:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-06-29 14:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-06-29 14:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-06-29 14:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-06-29 14:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-06-29 14:51 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-29 14:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-06-29 14:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-06-29 14:51 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-06-29 14:51 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-06-29 14:51 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-06-29 14:51 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-06-29 14:51 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-06-29 14:51 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-06-29 14:51 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-06-29 14:51 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-06-29 14:51 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-06-29 14:51 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-06-29 14:51 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-06-29 14:51 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-06-29 14:51 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-06-29 14:51 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-06-29 14:51 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-06-29 14:51 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-06-29 14:51 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-06-29 14:51 147,968 --a------ C:\WINDOWS\system32\rdchost.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 21:34:09 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-30 19:09:39 49,776 ----a-w C:\DOCUME~1\user\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-30 09:05:30 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-29 18:07:03 -------- d-----w C:\Program Files\MSN Messenger
2007-06-29 17:50:42 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 17:50:34 -------- d-----w C:\Program Files\Windows NT
2007-06-29 15:47:54 -------- d-----w C:\DOCUME~1\user\APPLIC~1\knob owns love
2007-06-29 14:28:48 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-29 12:51:28 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:59:30 -------- d-----w C:\Program Files\eMule
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 06:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b5146c40-189a-4311-bda9-fbae3e023187}]
2007-03-19 10:50 1297432 --a------ C:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5792AA9-D373-4039-8670-2CDAB6A71F15}]
2006-12-22 12:06 126976 --a------ C:\Program Files\BitDownload\TorrentManager.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 20:50 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 04:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-31 00:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 09:46]
"Babylon Client"="C:\Program Files\Babylon\Babylon.exe" [2005-01-23 23:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 12:20 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-09-19 07:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\ssqrq.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-19 17:56:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-30 16:35:22 C:\WINDOWS\tasks\B03EB53497FD26C0.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 23:33:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 23:35:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-30 23:35

--- E O F ---


HijackThis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:44:56, on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\HijackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6631 bytes


Alex
alex___h is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-30-2007, 01:57 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: please help - infected machines #1
Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:
  • AskTBar
Please note any other programs that you dont recognize in that list in your next response


---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\BitDownload\TorrentManager.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - (no file)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\winbug32.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\dedgrqbe.exe
C:\Program Files\BitDownload\TorrentManager.dll
C:\WINDOWS\tasks\B03EB53497FD26C0.job
Folder::
C:\Program Files\AskTBar
C:\DOCUME~1\user\APPLIC~1\knob owns love
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5792AA9-D373-4039-8670-2CDAB6A71F15}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-30-2007, 04:04 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 7
OS: XP


Re: please help - infected machines #1
well here they are:

1. Fresh Hijackthis log taken just before replying

Logfile of HijackThis v1.99.1
Scan saved at 01:57:52, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dedgrqbe.exe] C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


2. Online scan from KAspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 01, 2007 1:56:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/07/2007
Kaspersky Anti-Virus database records: 356048
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 44424
Number of viruses found: 15
Number of infected objects: 47 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:27

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\97625.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\NeroDemo12547\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2AA.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2C7.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580002.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580003.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A740000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0002.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0003.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0004.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Trojan.Win32.Inject.br skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180001.VBN Infected: Trojan.Win32.Inject.br skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00001.VBN Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0000.VBN Infected: Trojan.Win32.Agent.anr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0001.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0002.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0003.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Babylon\log_file.txt Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007070120070702\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\QooBox\Quarantine\C\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.f skipped
C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjhfc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvussr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winbug32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000079.exe Infected: Trojan-Downloader.Win32.Alphabet.f skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000080.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000163.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000165.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000166.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\USER-4PVWJAMKRZ.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6A55F351-C60D-4524-B1DF-3BF22097289C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05f8f.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe RAR: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kq skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/patch.exe Infected: Trojan-Downloader.Win32.Agent.btq skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.br skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe RarSFX: infected - 5 skipped

Scan process completed.


3. ComboFix's log

"user" - 2007-07-01 0:56:09 - ComboFix 07-07-01 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\user\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\dedgrqbe.exe
C:\DOCUME~1\user\APPLIC~1\knob owns love
C:\DOCUME~1\user\APPLIC~1\knob owns love\9928565B
C:\Program Files\AskTBar
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL
C:\Program Files\AskTBar\bar\Cache\002477E0
C:\Program Files\AskTBar\bar\Cache\00247BC8
C:\Program Files\AskTBar\bar\Cache\00247DBC.bin
C:\Program Files\AskTBar\bar\Cache\002480AA.bin
C:\Program Files\AskTBar\bar\Cache\0024828E.bin
C:\Program Files\AskTBar\bar\Cache\files.ini
C:\Program Files\AskTBar\bar\History\search2
C:\Program Files\AskTBar\bar\Settings\prevcfg2.htm
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
C:\WINDOWS\system32\winbug32.dll
C:\WINDOWS\tasks\B03EB53497FD26C0.job


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-30 23:22 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 21:55 <DIR> d-------- C:\Deckard
2007-06-30 20:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-30 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-30 18:59 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 11:30 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-30 11:03 <DIR> d-------- C:\Program Files\Nero
2007-06-30 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-30 10:40 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-30 09:58 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Ahead
2007-06-29 20:28 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\U3
2007-06-29 20:03 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-29 18:40 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-29 17:05 <DIR> d-------- C:\b76a1af87dd2b90be1bf687fb745454f
2007-06-29 16:52 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-29 16:52 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2007-06-29 16:52 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-29 16:50 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-06-29 16:50 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-06-29 16:50 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-29 16:50 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-06-29 16:50 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-06-29 16:50 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-06-29 16:50 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-06-29 16:50 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-06-29 16:50 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-06-29 16:50 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-06-29 16:50 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-06-29 16:50 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-06-29 16:50 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-06-29 16:50 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-06-29 16:50 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-06-29 16:50 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-06-29 16:48 <DIR> d-------- C:\WINDOWS\pss
2007-06-29 16:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-06-29 16:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-06-29 16:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-06-29 16:17 <DIR> d-------- C:\WINDOWS\OemDir
2007-06-29 14:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-06-29 14:52 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-06-29 14:52 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-06-29 14:52 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-06-29 14:52 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-06-29 14:52 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-06-29 14:52 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-06-29 14:52 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-06-29 14:52 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-06-29 14:52 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-06-29 14:52 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-06-29 14:52 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-06-29 14:52 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-06-29 14:52 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-06-29 14:52 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-06-29 14:52 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-06-29 14:52 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-06-29 14:52 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-06-29 14:52 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-06-29 14:52 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-06-29 14:52 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-06-29 14:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-06-29 14:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-06-29 14:51 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2007-06-29 14:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-29 14:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-06-29 14:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-06-29 14:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-06-29 14:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-06-29 14:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-06-29 14:51 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-29 14:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-06-29 14:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-06-29 14:51 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-06-29 14:51 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-06-29 14:51 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-06-29 14:51 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-06-29 14:51 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-06-29 14:51 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-06-29 14:51 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-06-29 14:51 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-06-29 14:51 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-06-29 14:51 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-06-29 14:51 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-06-29 14:51 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-06-29 14:51 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-06-29 14:51 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-06-29 14:51 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-06-29 14:51 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-06-29 14:51 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-06-29 14:51 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-06-29 14:51 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-06-29 14:51 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-06-29 14:51 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 22:50:17 -------- d-----w C:\Program Files\BitDownload
2007-06-30 22:15:38 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-30 22:15:26 -------- d-----w C:\Program Files\QuickTime
2007-06-30 22:14:16 -------- d-----w C:\Program Files\Multi_Media
2007-06-30 22:12:25 -------- d-----w C:\Program Files\Messenger
2007-06-30 22:11:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-30 22:10:06 -------- d-----w C:\Program Files\Babylon
2007-06-30 19:09:39 49,776 ----a-w C:\DOCUME~1\user\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-30 09:05:30 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-29 18:07:03 -------- d-----w C:\Program Files\MSN Messenger
2007-06-29 17:50:42 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 17:50:34 -------- d-----w C:\Program Files\Windows NT
2007-06-29 14:28:48 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-29 12:51:28 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:59:30 -------- d-----w C:\Program Files\eMule
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 06:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b5146c40-189a-4311-bda9-fbae3e023187}]
2007-03-19 10:50 1297432 --a------ C:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 20:50 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 04:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-31 00:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 09:46]
"Babylon Client"="C:\Program Files\Babylon\Babylon.exe" [2005-01-23 23:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 12:20 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"dedgrqbe.exe"="C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-09-19 07:14]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-19 17:56:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 00:57:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3300]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 0:57:27
C:\ComboFix-quarantined-files.txt ... 2007-07-01 00:57
C:\ComboFix2.txt ... 2007-06-30 23:35

--- E O F ---
thanks , Alex
alex___h is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-30-2007, 04:12 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,246
OS: N/A


Re: please help - infected machines #1
D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar
D:\temp\Nero_7.8.5.0_Premium_keygen.exe

Guess you know now how you got infected. The above files must be deleted.


--------------


Of the other stuff Kaspersky found,

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ is your antivirus program's quarantine cache. You should delete the contents. Please use Symantec's guide to remove the files from quarantine. http://service1.symantec.com/SUPPORT...on=1#_Section1


C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

C:\Deckard\ is DSS's working folder. You can safely delete it

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start → Run → type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  6. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html

  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-30-2007, 04:43 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 7
OS: XP


Re: please help - infected machines #1
thank you thank you thank you
I worked for IBM Research 33 years, never have I encountered such a service level and professionality. chapeau !
Alex
alex___h is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:15 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84