Tech Support Forum banner
Cancel

Drivedefender, yourprivacyguard, errclean - HiJack - log included -

Jump to Latest Follow
Status
Not open for further replies.
1 - 5 of 5 Posts
B

· Registered
Joined
·
12 Posts
Discussion Starter · #1 ·
Dear Tech Support Analysts

I've been struck by malware attack resulting in the following:
Multiple IE's opening (URLs: Antiviruspcsuite.com errclean.com yourprivacyguard.com advancedcleaner.com storageprotector.com protectingtool.com and others)

Fake Window Security Alert dialogues popping up

I’m trying to fix this with many Anti-spyware programs, but the problem can’t be fixed.

I really hope you can help me out

Regards,
Panupun



My Hi Jack log …………………



Logfile of HijackThis v1.99.1
Scan saved at 18:23:08, on 8/12/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ZSSnp211.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.131.10:3128
O2 - BHO: Her - {2A7102DE-1F71-4146-86FD-A722E8AB3489} - C:\WINDOWS\system32\lorinhib.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe




…………

My fixwareout text.



Username "Administrator" - 12/08/2007 17:08:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"SoundMan"="soundman.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ZSSnp211"="C:\\WINDOWS\\ZSSnp211.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"
"egui"="\"C:\\Program Files\\Eset\\ESET NOD32 Antivirus\\egui.exe\" /hide /waitservice"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~







My combofix text

……………………


ComboFix 07-12-08.1 - Administrator 12/08/2007 18:12:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.116 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 23:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-07 23:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-07 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-07 22:26 --------- d-----w C:\Program Files\CCleaner
2007-12-07 22:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 19:02 25,600 ----a-w C:\WINDOWS\system32\lorinhib.dll
2007-12-05 16:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 14:48 307 ----a-w C:\MSNcolor.reg
2007-12-02 07:22 --------- d-----w C:\Program Files\SPSSEval
2007-12-02 07:22 --------- d-----w C:\Program Files\DAP
2007-12-02 07:21 --------- d-----w C:\Program Files\AvRack
2007-11-30 21:12 --------- d-----w C:\Program Files\PowerStrip
2007-11-30 19:57 3,548 ----a-w C:\WINDOWS\system32\drivers\WinFlash.sys
2007-11-30 15:53 --------- d-----w C:\Program Files\S3
2007-11-30 14:26 --------- d-----w C:\Program Files\SEC
2007-11-27 19:56 --------- d-----w C:\Program Files\EPSON
2007-11-27 19:55 --------- d-----w C:\Program Files\Common Files\EPSON
2007-11-25 15:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-18 15:29 --------- d-----w C:\Program Files\Investintech.com Inc
2007-11-14 08:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 08:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 08:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-11-11 06:34 --------- d-----w C:\Program Files\GNU
2007-11-04 19:37 --------- d-----w C:\Program Files\มหาหมอดู 8.0share
2007-11-04 19:36 286,720 ----a-w C:\WINDOWS\iun506.exe
2007-11-04 19:28 --------- d-----w C:\Program Files\Uranus
2007-11-04 19:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-04 19:27 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-16 18:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GRETECH
2007-10-14 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-10-14 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-14 12:53 --------- d-----w C:\Program Files\Realtek
2007-10-14 12:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A7102DE-1F71-4146-86FD-A722E8AB3489}]
12/08/2007 02:02 AM 25600 --a------ C:\WINDOWS\system32\lorinhib.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/01/2005 10:02 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/14/2007 01:49 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [07/01/2005 10:02 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [07/01/2005 10:02 PM]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [03/19/2002 05:30 PM]
"SoundMan"="soundman.exe" [02/05/2002 04:15 AM C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/23/2006 02:39 AM]
"ZSSnp211"="C:\WINDOWS\ZSSnp211.exe" [08/19/2006 11:37 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"egui"="C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" [11/14/2007 03:05 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 PM]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [07/01/2005 10:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
08/18/2006 04:58 PM 49152 --a------ C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe"
S3 agony;agony;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf7_temp_1\agony.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 ZSMC211;USB PC Camera (ZS0211);C:\WINDOWS\system32\Drivers\ZS211.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a8e7e20-105b-11dc-91a4-00e07d9c395a}]
\Shell\AutoRun\command - F:\SCVVHSOT.exe
\Shell\Open\command - F:\SCVVHSOT.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37107270-080b-11db-8eda-00e07d9c395a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 18:16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/08/2007 18:17:59
.
--- E O F ---
 
Pancake

· Security Team (ret.)
Joined
·
7,403 Posts
#2 ·
Make sure you have inserted you F:\ flash drive before running this.................




Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::
Driver::agony
File::
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf7_temp_1\agony.sys
C:\WINDOWS\system32\lorinhib.dll
F:\SCVVHSOT.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a8e7e20-105b-11dc-91a4-00e07d9c395a}]
Click to expand...
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
 
B

· Registered
Joined
·
12 Posts
Discussion Starter · #3 ·
Hi Pancake,

Thank you so much for your help.

This is my NEW ComboFix.txt


.........


ComboFix 07-12-08.1 - Administrator 12/10/2007 18:29:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.168 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf7_temp_1\agony.sys
C:\WINDOWS\system32\lorinhib.dll
F:\SCVVHSOT.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\RECYCLER\desktop.ini
F:\RECYCLER\RECYCLER.exe
F:\SCVVHSOT.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 18:44 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-08 18:17 --------- d-----w C:\Program Files\Uranus
2007-12-07 23:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-07 23:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-07 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-07 22:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-07 22:26 --------- d-----w C:\Program Files\CCleaner
2007-12-07 22:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 16:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 14:48 307 ----a-w C:\MSNcolor.reg
2007-12-02 07:22 --------- d-----w C:\Program Files\SPSSEval
2007-12-02 07:22 --------- d-----w C:\Program Files\DAP
2007-12-02 07:21 --------- d-----w C:\Program Files\AvRack
2007-11-30 21:12 --------- d-----w C:\Program Files\PowerStrip
2007-11-30 19:57 3,548 ----a-w C:\WINDOWS\system32\drivers\WinFlash.sys
2007-11-30 15:53 --------- d-----w C:\Program Files\S3
2007-11-30 14:26 --------- d-----w C:\Program Files\SEC
2007-11-27 19:56 --------- d-----w C:\Program Files\EPSON
2007-11-27 19:55 --------- d-----w C:\Program Files\Common Files\EPSON
2007-11-25 15:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-18 15:29 --------- d-----w C:\Program Files\Investintech.com Inc
2007-11-14 08:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 08:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 08:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-11-11 06:34 --------- d-----w C:\Program Files\GNU
2007-11-04 19:37 --------- d-----w C:\Program Files\มหาหมอดู 8.0share
2007-11-04 19:36 286,720 ----a-w C:\WINDOWS\iun506.exe
2007-11-04 19:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-04 19:27 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-16 18:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GRETECH
2007-10-14 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-10-14 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-14 12:53 --------- d-----w C:\Program Files\Realtek
2007-10-14 12:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
.

((((((((((((((((((((((((((((( [email protected] 12-08-2007_18.16.47.72 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-09-03 17:00:00 543,744 ----a-w C:\WINDOWS\system32\shdoclc.dll
+ 2007-12-08 10:22:41 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [07/01/2005 10:02 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/14/2007 01:49 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [07/01/2005 10:02 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [07/01/2005 10:02 PM]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [03/19/2002 05:30 PM]
"SoundMan"="soundman.exe" [02/05/2002 04:15 AM C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/23/2006 02:39 AM]
"ZSSnp211"="C:\WINDOWS\ZSSnp211.exe" [08/19/2006 11:37 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"egui"="C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" [11/14/2007 03:05 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 PM]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [07/01/2005 10:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
08/18/2006 04:58 PM 49152 --a------ C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe"
S3 agony;agony;\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf7_temp_1\agony.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 ZSMC211;USB PC Camera (ZS0211);C:\WINDOWS\system32\Drivers\ZS211.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37107270-080b-11db-8eda-00e07d9c395a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cwdgydjr-C842B8.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 18:36:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/10/2007 18:38:17 - machine was rebooted
C:\ComboFix2.txt ... 12/09/2007 02:18 AM
C:\ComboFix3.txt ... 12/08/2007 06:18 PM
.
--- E O F ---




......................


My NEW Hi-Jack log .........


Logfile of HijackThis v1.99.1
Scan saved at 18:44:49, on 10/12/2550
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\soundman.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ZSSnp211.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.131.10:3128
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
 
Pancake

· Security Team (ret.)
Joined
·
7,403 Posts
#5 ·
How are things running now ???

Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives[*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 
1 - 5 of 5 Posts
Status
Not open for further replies.
About this Discussion
4 Replies
2 Participants
Last post:
Pancake
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top