• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
pecibinks

Can't clean trojans causing winlogon.exe running at 99% of CPU

12 posts in this topic

Hi,

 

 

I've been trying to get rid of some trojans, but haven't managed to do it yet, so I would appreciate any help.

 

I have scanned my computer with both Panda and Sophos antivirus (and following Sophos intructions to remove trojans). I have already removed Troj/Cimuz-CD from my system but the system is still hanging from time to time and also showing blue screens (sth like Driver_irql_not_less_or_equal and NDIS.sys).

 

I have run Spybot Search and Destroy and found the following things :

 

Microsoft.Windows.SecurityCenter.FirewallByPass

Smitfraud-C

Win32.Agent.pz

 

Spybot couldn't clean the files rpcc.dll (for Smitfraud) and the files video.dll, audio.dll located in the subdirectory system32\wsnpoem\ (for Win32.Agent.pz)

 

I tried to clean them by using KillBox, but did sth wrong and they're still there.

 

I ran HijackedThis and found problems with ntos.exe , mszsrn32.dll and the LSP stack. I tried to fix them, but I'm not sure how to do it.

 

I really would appreciate any help, and I'm pasting the HijackedThis log.

 

Many thanks

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:21:47, on 23/04/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\HijackThis\HiJackThis_v2.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\vvhqlfsuacw.dll

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\tmwsock.dll' missing

O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\alfa\autocomp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 7619 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi pecibinks,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, here’s what we do first.

 

Please download LSPFix and save it to your desktop:

  • Disconnect from the Internet.
  • Unzip the LSPFix file to your desktop.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I'm doing" checkbox.
  • In the left-hand column which is labeled "Keep" select all instances of this file:
     
    vvhqlfsuacw.dll
     
     
  • Click the arrow >> so it goes over to the right-hand column under "Remove".
  • Then click Finish to allow LSPFix to rebuild the LSP chain.

Note: Only vvhqlfsuacw.dll needs to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane and post the filenames to inform me.

 

 

NEXT:

 

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

 

Please download SDFix by AndyManchesta and save it to your desktop.

 

Double-click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix).

 

Please then reboot your computer into Safe Mode by doing the following:

  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.

 

Once in Safe Mode, please do the following:

  • Open the extracted folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum along with a new HijackThis log.

 

NEXT:

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

 

sc stop msupdate

 

sc delete msupdate

 

sc stop MySQL

 

sc delete MySQL

 

 

NEXT:

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    C:\WINDOWS\system32\ntos.exe
    c:\windows\system32\vvhqlfsuacw.dll
    c:\windows\system32\msvcrtd.exe
    C:\Program.exe
     
     
  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:
     
    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
     
    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.

 

 

NEXT:

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK), and copy and paste the text present inside the code box below:

 

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\ndis.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

 

Save this as check.bat. Choose to save as "All files" and place it on your desktop.

 

It should look like this: bat.gif

 

Double-click check.bat on your desktop.

 

Notepad should open with text in it. Please post the contents of that text here.

 

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the SDFix scan.
  2. The log from OTMoveIt.
  3. The log from the check.bat scan.
  4. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.

Edited by Sempurna

Share this post


Link to post
Share on other sites

Hi,

 

First of all, thanks very much for your help, I really appreciate the fact that you took the time to analyze my log.

 

I followed your instructions, here are the notes about the process:

 

a)When I ran LSPFix, the file tmwsock.dll was initially on the column "Remove" , I move it back to "Keep" and only removed vvhqlfsuacw.dll

 

b)When i ran FixTool, at the end it told me to run CatchMe.exe , but I didn't do it as it wasn't in your instructions.

 

My computer has only been running for half hour since I followed the instructions, but it seems to be running ok, I checked TCPView, and looks ok to me (before the disinfection process, a lot of explorer.exe processes appeared there, connecting to different remote adresses using smtp). Just one weird thing, when I click in the Start button, then All programs, it says that new programs have been installed and it highlights programs that were installed some time ago (this behaviour occurs now, but it was also happening before)

 

 

Here are the logs in the following order SDFix log, OTMoveIt log, check.bat log, new HijackThis log

 

 

SDFix: Version 1.79

 

Run by Fernando - 27/04/2006 - 14:07:56.67

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

msupdate

ntldr.sys

 

ImagePath:

c:\windows\system32\msvcrtd.exe

\??\C:\ntldr.sys

 

msupdate - Deleted

ntldr.sys - Deleted

 

 

ndis.sys Infected!

 

Patched File copied to Backups Folder

Attempting to replace ndis.sys with original version...

 

Original ndis.sys Restored

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\CP1041.NLS - Deleted

 

Removing Temp Files

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Final Check:

 

Remaining Services:

------------------

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\CMpdpsrv.exe"="C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\CMpdpsrv.exe:*:Enabled:PDP RPC Server"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"c:\\docume~1\\fernando\\locals~1\\temp\\funlib.exe"="c:\\docume~1\\fernando\\locals~1\\temp\\funlib.exe:*:Enabled:funlib"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"c:\\windows\\system32\\mstsdsc.exe"="c:\\windows\\system32\\mstsdsc.exe:*:Enabled:mstsdsc"

"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes:

 

C:\Documents and Settings\Fernando\NetHood\ftp.surproject.com\Desktop.ini

C:\WINDOWS\rreg32.dll

C:\WINDOWS\utapi32.dll

C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

C:\BackupUni5Dec06\Thesis\My Papers\Journal\~WRL1057.tmp

C:\BackupUni5Dec06\Thesis\My Papers\Journal\~WRL2734.tmp

C:\Charlo\Karla\~WRL0004.tmp

C:\Charlo\Karla\~WRL2216.tmp

C:\Charlo\Karla\~WRL2224.tmp

C:\Charlo\Karla\~WRL2598.tmp

C:\Charlo\Karla\~WRL3850.tmp

C:\Charlo\Karla\Boda\Invitaciones\~WRL0493.tmp

C:\Charlo\Karla\Boda\Invitaciones\~WRL3395.tmp

C:\Charlo\Karla\Tesis\~WRL0001.tmp

C:\Charlo\Karla\Tesis\~WRL1968.tmp

C:\Charlo\Karla\Tesis\~WRL2196.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL0484.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL0603.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL1046.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL1421.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL3386.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL3826.tmp

C:\Charlo\Karla\Tesis\Documento\~WRL4044.tmp

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

C:\Documents and Settings\Fernando\Application Data\Microsoft\Word\~WRL0005.tmp

C:\Documents and Settings\Fernando\Application Data\Microsoft\Word\~WRL0006.tmp

C:\Documents and Settings\Fernando\My Documents\~WRL3852.tmp

C:\Essex\Conacyt\~WRL0486.tmp

C:\Essex\Curriculums and Job Applications\~WRL1858.tmp

C:\Essex\Curriculums and Job Applications\~WRL2534.tmp

C:\Essex\Curriculums and Job Applications\LondonCity\~WRL0526.tmp

C:\Essex\French\~WRL2986.tmp

C:\Essex\MyPaper\ChinaIEEE2006\~WRL3785.tmp

C:\Essex\MyPaper\IEEAthens\~WRL0036.tmp

C:\Essex\Tesis\Proposals\FullResearchProposal\~WRL0970.tmp

C:\Program Files\InterActual\InterActual Player\iti3.tmp

C:\Documents and Settings\Fernando\My Documents\frivera666\receive\Fotograf¡a 57.zip

 

Finished

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OTMoveIt log

 

File/Folder C:\WINDOWS\system32\ntos.exe not found.

DllUnregisterServer procedure not found in c:\windows\system32\vvhqlfsuacw.dll

c:\windows\system32\vvhqlfsuacw.dll NOT unregistered.

c:\windows\system32\vvhqlfsuacw.dll moved successfully.

File/Folder c:\windows\system32\msvcrtd.exe not found.

File/Folder C:\Program.exe not found.

 

Created on 04/27/2006 14:36:33

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

check.bat log

 

"C:\WINDOWS\$NtServicePackUninstall$\ndis.sys" 167552 29/08/2002 10:09

"C:\WINDOWS\ServicePackFiles\i386\ndis.sys" 182912 04/08/2004 07:14

"C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys" 182912 04/08/2004 07:14

"C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys" 182912 04/08/2004 07:14

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 14:50:00, on 27/04/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\HijackThis\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\tmwsock.dll' missing

O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\alfa\autocomp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 5829 bytes

Share this post


Link to post
Share on other sites

Hi,

 

 

After running all your instructions to disinfect the computer, I ran Spybot and it found

 

Microsoft.WindowsSecurityCenter.FirewallBypass

 

 

I haven't told Spybot to remove it (so it doesn't change anything on the HijackThis log I posted before).

 

I also checked the setting of my firewall and in the programs allowed in the firewall , I found an entry called mstsdsc (which I believe it's some form of the Troj/Cimuz-CD.

 

Hope this additional comments and my previous post help.

Edited by pecibinks

Share this post


Link to post
Share on other sites

Please do not post in "Not getting help" if you Helper doesn't respond... It probably means that Sempurna didn't get notification of your response... If Sempurna doesn't respond in the next 24 hours, you can send a PM, but there is a good chance that my post will notify...

Share this post


Link to post
Share on other sites

Hi pecibinks, :wave:

 

I’m sorry, but I didn’t receive notification of your replies. Happens sometimes. :(

 

When I ran LSPFix, the file tmwsock.dll was initially on the column "Remove" , I move it back to "Keep" and only removed vvhqlfsuacw.dll

You may also move the tmwsock.dll file to the "Remove" column and remove it from the LSP stack.

 

 

When i ran FixTool, at the end it told me to run CatchMe.exe , but I didn't do it as it wasn't in your instructions.

No worries, that is a built-in rootkit scanner for SDFix. We’ll run it later.

 

 

Just one weird thing, when I click in the Start button, then All programs, it says that new programs have been installed and it highlights programs that were installed some time ago (this behaviour occurs now, but it was also happening before)

Yes, this happens occasionally when it comes to infections. The problem usually resolves itself if you just run those proggies from the Start button.

 

 

After running all your instructions to disinfect the computer, I ran Spybot and it found

 

Microsoft.WindowsSecurityCenter.FirewallBypass

 

 

I haven't told Spybot to remove it (so it doesn't change anything on the HijackThis log I posted before).

Yep, get Spybot to remove it.

 

OK, here’s what we do next.

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\docume~1\\fernando\\locals~1\\temp\\funlib.exe"=-
"c:\\windows\\system32\\mstsdsc.exe"=-


 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

 

It should look like this: reg.gif

 

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

 

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.

 

 

NEXT:

 

Please download WinSock XP Fix by Option^Explicit:

  • Place it on your desktop.
  • Run WinsockxpFix.exe and click "Reg backup".
  • Your current registry will be saved in the folder "ERDNT".
  • Then click FIX.
  • Your system will reboot.

 

NEXT:

 

Please launch OTMoveIt:

  • Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    c:\docume~1\fernando\locals~1\temp\funlib.exe
    c:\windows\system32\mstsdsc.exe
    'c:\windows\system32\tmwsock.dll
     
     
  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:
     
    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
     
    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

NEXT:

 

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.

[*]Then, click the Applications tab:

  • UNCHECK everything there.

[*]Next, click the Options button, then click the Advanced button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

 

NEXT:

 

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click OK.

[*]Now under select a target to scan:

  • Select My Computer.

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save Report As button.
  • In the File name: field, type kavscan.
  • In the Save as type: field, select Text file (*.txt).

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the ComboFix scan.
  2. The log from the Kaspersky scan.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post


Link to post
Share on other sites

Hi,

 

 

Thanks again for your help, and sorry it take me too long to answer.

 

I have followed your instructions and here are the results:

 

++++++++++++++++++++++++LOG FROM OTMoveIt ++++++++++++++++++++++++++++++

 

File/Folder c:\docume~1\fernando\locals~1\temp\funlib.exe not found.

File/Folder c:\windows\system32\mstsdsc.exe not found.

File/Folder c:\windows\system32\tmwsock.dll not found.

 

Created on 05/09/2007 20:58:00

 

 

+++++++++++++++++++LOG from ComboFix scan +++++++++++++++++++++++++++++++++

 

"Fernando" - 2007-05-09 21:12:37 Service Pack 2

ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Fernando\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\DOWNLO~1.\Spotlife\Pandora\yahoo\EncodingProfiles\default\high\Encoding.xml

C:\WINDOWS\DOWNLO~1.\Spotlife\Pandora\yahoo\skin\0\default\en-us\SLSkin.dll

C:\WINDOWS\system32\totour.exe

C:\WINDOWS\system32\v.dll

C:\WINDOWS\DOWNLO~1.\Spotlife

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))

 

 

2007-05-09 21:02 <DIR> d-------- C:\Program Files\CCleaner

2007-05-09 20:47 <DIR> d-------- C:\RegBackupEru

2007-04-12 19:08 8,704 --a------ C:\WINDOWS\SYSTEM32\sporder.dll

2007-04-10 22:40 269,824 --a------ C:\WINDOWS\SYSTEM32\baksm.dll

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-03-28 21:21:01 -------- d-----w C:\DOCUME~1\Fernando\APPLIC~1.\MSN6

2007-03-23 09:33:53 -------- d-----w C:\DOCUME~1\Fernando\APPLIC~1.\Apple Computer

2007-03-23 09:29:18 -------- d-----w C:\Program Files\QuickTime

2007-03-23 09:25:09 -------- d-----w C:\Program Files\Apple Software Update

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-09 09:24:13 -------- d-----w C:\DOCUME~1\Fernando\APPLIC~1.\Real

2007-03-09 09:20:09 -------- d-----w C:\Program Files\Common Files\xing shared

2007-03-09 09:19:58 -------- d-----w C:\Program Files\Common Files\Real

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll"

"{AE7CD045-E861-484f-8273-0445EE161910}"="C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"

"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"

"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"

"CMPDPSRV"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\CMPDPSRV.EXE"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"

"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

"Motive SmartBridge"="C:\\PROGRA~1\\ntl\\BROADB~1\\SMARTB~1\\MotiveSB.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Uniblue Registry Booster2"="C:\\Program Files\\Uniblue\\RegistryBooster2\\RegistryBooster.exe /S"

 

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages msv1_0\0\0

Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages scecli\0\0

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService

 

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService DnsCache\0\0

rpcss RpcSs\0\0

imgsvc StiSvc\0\0

termsvcs TermService\0\0

HTTPFilter HTTPFilter\0\0

DcomLaunch DcomLaunch\0TermService\0\0

WudfServiceGroup WUDFSvc\0\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]

Shell\AutoRun\command E:\LaunchU3.exe

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20060427-143357-586

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

backup-20060427-143357-905

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)

backup-20060427-143357-318

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

backup-20060427-143357-539

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20060427-143357-834

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20060421-191220-911

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

backup-20060421-191106-130

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

backup-20060421-184258-375

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-184211-734

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-184211-129

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

backup-20060421-184016-388

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-184001-666

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-133806-432

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-133730-637

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

backup-20060421-130953-384

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

backup-20060421-130953-373

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

backup-20060421-130953-605

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\SDMsgUpdate (SmartDrawTrial).job

C:\WINDOWS\tasks\Windows Media Player.job

 

********************************************************************

 

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-09 21:22:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-09 21:25:08

C:\ComboFix-quarantined-files.txt ... 2007-05-09 21:25

 

 

+++++++++++++++++++LOG from Kaspersky scan +++++++++++++++++++++++++++++++++

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Thursday, May 10, 2007 12:28:53 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 9/05/2007

Kaspersky Anti-Virus database records: 315885

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 131356

Number of viruses found: 10

Number of infected objects: 37 / 0

Number of suspicious objects: 0

Duration of the scan process: 02:36:45

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped

C:\Documents and Settings\Fernando\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Fernando\Local Settings\Application Data\Identities\{22EC0CF3-81F7-4841-81FA-78134B37A30D}\Microsoft\Outlook Express\Old Items 2004.dbx/[From acorre@essex.ac.uk][Date Sun, 04 Apr 2004 07:51:55]/text.zip/Pmessage-text.txt .pif Infected: Email-Worm.Win32.Sober.f skipped

C:\Documents and Settings\Fernando\Local Settings\Application Data\Identities\{22EC0CF3-81F7-4841-81FA-78134B37A30D}\Microsoft\Outlook Express\Old Items 2004.dbx/[From acorre@essex.ac.uk][Date Sun, 04 Apr 2004 07:51:55]/text.zip Infected: Email-Worm.Win32.Sober.f skipped

C:\Documents and Settings\Fernando\Local Settings\Application Data\Identities\{22EC0CF3-81F7-4841-81FA-78134B37A30D}\Microsoft\Outlook Express\Old Items 2004.dbx Mail MS Outlook 5: infected - 2 skipped

C:\Documents and Settings\Fernando\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Fernando\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Fernando\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Fernando\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Fernando\My Documents\FINDnFIX.exe/keys1/NirComLine.exe Infected: not-a-virus:RemoteAdmin.Win32.NirCmdLine.14 skipped

C:\Documents and Settings\Fernando\My Documents\FINDnFIX.exe ZIP: infected - 1 skipped

C:\Documents and Settings\Fernando\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Fernando\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\OldBackup\BASURFER.zip/BASURFER/trytofix.exe Infected: Trojan.Win32.DesktopPuzzle.c skipped

C:\OldBackup\BASURFER.zip ZIP: infected - 1 skipped

C:\OldBackup\CORRAL.zip/CORRAL/zipferi/RespaldoPH/Importante-noborrarRespaldoFRI.zip/keykey.exe/vkeykeyd._vx Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped

C:\OldBackup\CORRAL.zip/CORRAL/zipferi/RespaldoPH/Importante-noborrarRespaldoFRI.zip/keykey.exe Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped

C:\OldBackup\CORRAL.zip/CORRAL/zipferi/RespaldoPH/Importante-noborrarRespaldoFRI.zip Infected: not-a-virus:Monitor.Win32.KeyKey.121 skipped

C:\OldBackup\CORRAL.zip ZIP: infected - 3 skipped

C:\Program Files\Common Files\Totem Shared\Update\dial.dll.015 Infected: not-a-virus:Dialer.Win32.DialerOffline skipped

C:\Program Files\Norton AntiVirus\Quarantine\3A9B4FEB.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3ABF1DC3.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3AC671BC.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3B5F2713.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3B8374EC.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3BC866A0.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3BCB109D.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3C611BF8.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3C6B19ED.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3C7517E2.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\3C7B6BDB.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\413D189E.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\41576882.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\416E0E68.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\42660557.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\42742D49.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\428A5330.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\434E2A58.exe Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\Norton AntiVirus\Quarantine\436F4E34.EXE Infected: Virus.Win32.FunLove.4070 skipped

C:\Program Files\ntl\broadband medic\log\mpbtn.log Object is locked skipped

C:\Program Files\ntl\broadband medic\SmartBridge\AlertFilter.log Object is locked skipped

C:\Program Files\ntl\broadband medic\SmartBridge\log\httpclient.log Object is locked skipped

C:\Program Files\ntl\broadband medic\SmartBridge\SmartBridge.log Object is locked skipped

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\totour.exe.vir Infected: Trojan.Win32.Agent.afg skipped

C:\SDFix\backups\backups.zip/backups/ndis.sys Infected: SpamTool.Win32.Agent.u skipped

C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP916\A0322985.exe Infected: Trojan.Win32.Agent.afg skipped

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP916\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D36935A7-8231-4816-9D85-96D807AFFEDD}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00000.SPL Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_340.dat Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

 

+++++++++++++++++++LOG from HijackThis +++++++++++++++++++++++++++++++++

 

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:41:03, on 10/05/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\Apoint\Apntex.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\alfa\autocomp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 6036 bytes

Share this post


Link to post
Share on other sites

Hi pecibinks, :wave:

 

No worries about the late reply. We’re still here. :)

 

OK, let’s pick up the leftovers.

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please launch OTMoveIt:

  • Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    C:\OldBackup\BASURFER.zip
    C:\OldBackup\CORRAL.zip
    C:\Program Files\Common Files\Totem Shared\Update\dial.dll.015
    C:\WINDOWS\SYSTEM32\baksm.dll
     
     
  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:
     
    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
     
    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from OTMoveIt.
  2. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.

Share this post


Link to post
Share on other sites

Hi,

 

 

Thanks for your answer. I followed your instructions, but i didn't tell OTMoveIt.exe to remove c:\oldbackup\basurfer.zip , c:\oldbackup\corral.zip.

 

The reason for that is that those 2 files have important backup information, however, I did remove the infected .exe files from the .zip files (They have been there for 5 years, so I don't think they would ever cause a problem, anyway, I deleted the .exe from them)

 

The computer has been running smoothly since I followed the instructions posted in your first post. I just have 2 questions about 2 entries of my HijackThis log

 

Why is the following line appearing there? . I know that 127.0.0.1 is the localhost, but I don't have anykind of proxy

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

 

Is the following line normal?

 

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

 

Thanks very much, and here are the 2 logs:

 

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 23:21:41, on 10/05/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\WINDOWS\System32\snmp.exe

c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\alfa\autocomp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

 

--

End of file - 5819 bytes

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

OTMoveIt log

 

 

C:\Program Files\Common Files\Totem Shared\Update\dial.dll.015 moved successfully.

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\baksm.dll

C:\WINDOWS\SYSTEM32\baksm.dll NOT unregistered.

C:\WINDOWS\SYSTEM32\baksm.dll moved successfully.

 

Created on 05/10/2007 23:07:28

Share this post


Link to post
Share on other sites

Hi pecibinks, :wave:

 

I’m sorry for my late reply. I didn’t get notification of your reply, even when I’ve subscribed to your thread. Twice. :(

 

 

Why is the following line appearing there? . I know that 127.0.0.1 is the localhost, but I don't have anykind of proxy

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

That could have been set by one of your security apps. It is a legit entry and should be left alone.

 

 

Is the following line normal?

 

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Yep, very normal. HJT will enumerate all files in the Winsock LSP as unknown. But, some are legit, while others may be malware.

 

The above is most likely related to Microsoft Client Services for Netware. It is usually seen as an 020 entry, but can also appear as a 010 entry.

http://www.spywaredata.com/spyware/malware/nwprovau.dll.php

 

To create a new system restore point:

  • Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
  • Click "Create A Restore Point" then click "Next". Give it a name and then click "Create".
  • When the confirmation screen shows the restore point has been created click "Close".
  • Then go to Start -> Run and type CLEANMGR.
  • Disk Cleanup will open and start calculating the amount of space that can be freed.
  • Once that’s finished it will open the Disk Cleanup options screen, click the "More Options" tab.
  • Click "Clean Up" in the "System Restore" section and choose "Yes" at the confirmation window.

This will remove all previous restore points except the newly created one.

 

 

NEXT:

 

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:

  • CLICK HERE to download the offline installer.
    • Select "Java Runtime Environment (JRE) 6u1" and click the "Download" button to the right.
    • Check the box that says "Accept License Agreement".
    • Click on the link to download "Windows Offline Installation, Multi-language".
    • Save the file to your desktop.

    [*]Next, uninstall your currently installed version from Add/Remove Programs.

    [*]If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.

    [*]Examples of older versions in Add/Remove Programs:

    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2

    [*]Reboot your system.

    [*]Install the new version by double-clicking on the file you downloaded.

 

NEXT:

 

Everything looks great --- your HijackThis log appears to be clean. :)

 

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
     
     
  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
     
     
  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.
     
     
  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!
     
     
  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!
     
     
  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!
     
     
  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!
     
     
  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!
     
     
  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

 

Hopefully this should take care of your problems! Good luck! :D

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0