View Full Version : Net-Worm.Win32.Kolab.xg
marydiv
10-03-2008, 11:12 AM
Hi,
While running a virus scan with Comodo, it detected "Net-Worm.Win32.Kolab.xg" and says that it was unable to disinfect the file. I've been looking online for info on this worm but have found very little. Anyone one know the security risk and what it will do? Most importantly, how do I get rid of it? I don't suppose just deleting the executable file would remedy this. Your help would be appreciated before things really get messed up. I've already noticed some windows that just open up while i'm online. Also, are the computers connected to my network at risk too?
classicsoftware
10-03-2008, 11:31 AM
Please follow the instructions here (http://www.pcguide.com/vb/showthread.php?t=60009) and post a Hijackthis log.
dang, CS, beat me to it...;)
marydiv
10-03-2008, 12:57 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:17 AM, on 03/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MostFun\Bin\MostFun.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavemsrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\xxxxxx Family\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\xxxxxx Family\winlogon.exe
O4 - HKLM\..\Run: [BM9f7111e1] Rundll32.exe "C:\WINDOWS\system32\itpmwfhq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MostFun.lnk = C:\Program Files\MostFun\Bin\MostFun.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217952969828[/url]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [url]http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218407856349&h=cf2c28f7500ee80211f0bdaeb8336da4/&filename=jinstall-6u7-windows-i586-jc.cab[/url]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll ogbpby.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 8439 bytes
classicsoftware
10-03-2008, 01:02 PM
First:
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]
Second:
Please do the following:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.
Note:
Do not mouseclick Combofix's window while it is running. That may cause the program to stall...
Third:
IN THE ORDER LISTED BELOW
Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.
marydiv
10-03-2008, 05:25 PM
I am working on this right now. computer is very messed up. combofix isnt working properly. can't type either, lots of pop ups, computer is very erratiic and unstable. i'll keep trying to get combo fix log but this is what i have so far:Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3
03/10/2008 1:08:39 PM
mbam-log-2008-10-03 (13-08-39).txt
Scan type: Quick Scan
Objects scanned: 67588
Time elapsed: 9 minute(s), 51 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
C:\Documents and Settings\xxxxxxFamily\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.
Memory Modules Infected:
C:\WINDOWS\system32\rqRIbxwV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urfcgjrg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ogbpby.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jydlkg.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5405386d-d9ae-440e-a011-2d8f4386cbbf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5405386d-d9ae-440e-a011-2d8f4386cbbf} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{b8a91b97-2d78-4c71-8d90-1229b0a997a0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b8a91b97-2d78-4c71-8d90-1229b0a997a0} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Windows Logon Applicationedc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bm9f7111e1 (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqribxwv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqribxwv -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ogbpby.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRIbxwV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VwxbIRqr.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VwxbIRqr.ini2 (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rvxcprqn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nqrpcxvr.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urfcgjrg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\grjgcfru.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rhntdvwa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jydlkg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\xxxxxx Family\Local Settings\Temp\svxpckff.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\xxxxxx Family\Local Settings\Temporary Internet Files\Content.IE5\E4RAQ0PV\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxxxxx Family\Local Settings\Temporary Internet Files\Content.IE5\WO63CO4B\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxxxxx Family\winlogon.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\itpmwfhq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM9f7111e1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM9f7111e1.txt (Trojan.Vundo) -> Delete on reboot.
classicsoftware
10-03-2008, 09:32 PM
Now that MBAM has removed a great deal of drech, try Combofix again. If it does not work, try it in safe mode. If it still doesn't work, give me a new HJT log.
marydiv
10-04-2008, 10:04 AM
ComboFix 08-10-03.01 - xxxxxx Family 2008-10-04 8:17:26.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\xxxxxx Family\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\xxxxxx Family\Application Data\inst.exe
C:\Documents and Settings\ Family\Cookies\a_family@2o7[2].txt
C:\Documents and Settings\ Family\Cookies\a_family@a.amd[1].txt
C:\Documents and Settings\ Family\Cookies\a_family@ad.yieldmanager[1].txt
C:\Documents and Settings\ Family\Cookies\a_family@ads.revsci[2].txt
C:\Documents and Settings\ Family\Cookies\a_family@clicktorrent[1].txt
C:\Documents and Settings\ Family\Cookies\a_family@ehg-ctv.hitbox[2].txt
C:\Documents and Settings\ Family\Cookies\a_family@forums.ncix[2].txt
C:\Documents and Settings\ Family\Cookies\a_family@insightexpressai[1].txt
C:\Documents and Settings\ Family\Cookies\a_family@trafficmp[2].txt
C:\Documents and Settings\ Family\Cookies\a_family@www.directcanada[2].txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM9f7111e1.txt
C:\WINDOWS\BM9f7111e1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\enijxmtq.dll
C:\WINDOWS\system32\fccbArpO.dll
C:\WINDOWS\system32\hspysvfi.dll
C:\WINDOWS\system32\ljJYPjkI.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nyjeme.dll
C:\WINDOWS\system32\OprAbccf.ini
C:\WINDOWS\system32\OprAbccf.ini2
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\qemgfkvc.dll
C:\WINDOWS\system32\qtmxjine.ini
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-03 13:11 . 2008-10-03 13:11 61,440 --a------ C:\WINDOWS\system32\drivers\bqzzhc.sys
2008-10-03 12:07 . 2008-10-03 12:07 <DIR> d-------- C:\Documents and Settings\AFamily\Application Data\Malwarebytes
2008-10-03 12:06 . 2008-10-03 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-03 12:06 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-03 12:06 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 12:05 . 2008-10-03 12:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-03 11:41 . 2008-10-03 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-03 10:18 . 2008-10-03 10:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-10-03 09:25 . 2008-10-03 09:25 <DIR> d-------- C:\WINDOWS\system32\xib
2008-10-03 09:25 . 2008-10-03 09:25 <DIR> d-------- C:\WINDOWS\system32\rd2
2008-10-03 09:25 . 2008-10-03 09:25 <DIR> d-------- C:\WINDOWS\system32\gic2
2008-10-03 09:25 . 2008-10-03 09:25 607,117 --a------ C:\Temp\noKi348.exe
2008-10-03 09:24 . 2008-10-03 09:24 <DIR> d-------- C:\WINDOWS\system32\EV02
2008-10-03 09:24 . 2008-10-03 09:25 <DIR> d-------- C:\Temp\xp34
2008-10-03 09:24 . 2008-10-04 08:18 <DIR> d-------- C:\Temp
2008-10-03 09:23 . 2008-10-03 09:23 46,080 --a------ C:\Documents and Settings\AFamily\index.exe
2008-10-03 09:23 . 2008-10-03 09:23 68 --a------ C:\Documents and Settings\A Family\z.bat
2008-09-05 20:48 . 2008-09-05 20:48 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-09-05 20:48 . 2008-09-11 08:46 <DIR> d-------- C:\Program Files\QuickTime
2008-09-05 20:48 . 2008-09-18 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-05 20:48 . 1999-11-10 12:05 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-09-05 20:47 . 2008-09-05 20:47 <DIR> d-------- C:\WINDOWS\Cache
2008-09-05 20:15 . 2008-10-02 11:02 <DIR> d-------- C:\Program Files\iLumina2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-03 17:11 1,762 ----a-w C:\Program Files\xfapdrsp.txt
2008-10-03 13:14 --------- d-----w C:\Program Files\SmartFTP FTP Library
2008-10-03 13:11 --------- d-----w C:\Documents and Settings\A Family\Application Data\LimeWire
2008-09-13 21:02 --------- d-----w C:\Documents and Settings\A Family\Application Data\FileZilla
2008-09-13 19:58 --------- d-----w C:\Program Files\FileZilla FTP Client
2008-09-11 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-31 22:56 --------- d-----w C:\Documents and Settings\A Family\Application Data\DNA
2008-08-30 14:59 --------- d-----w C:\Program Files\DNA
2008-08-25 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-08-25 00:31 --------- d-----w C:\Documents and Settings\A Family\Application Data\PlayFirst
2008-08-24 15:18 --------- d-----w C:\Documents and Settings\A Family\Application Data\BitTorrent
2008-08-24 13:30 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2008-08-23 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-08-23 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-23 15:33 --------- d-----w C:\Program Files\Alawar
2008-08-23 15:22 --------- d-----w C:\Program Files\Google
2008-08-23 14:01 --------- d-----w C:\Program Files\Mystery Cookbook
2008-08-23 13:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-21 14:12 --------- d-----w C:\Documents and Settings\A Family\Application Data\Gaijin Ent
2008-08-21 14:11 --------- d-----w C:\Program Files\ReflexiveArcade
2008-08-20 13:54 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-19 01:08 --------- d-----w C:\Documents and Settings\A Family\Application Data\SmartFTP
2008-08-17 21:45 --------- d-----w C:\Program Files\Xvid
2008-08-16 16:32 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Vso
2008-08-14 18:18 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-08-14 04:04 --------- d-----w C:\Program Files\LimeWire
2008-08-13 11:32 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-11 17:09 --------- d-----w C:\Program Files\QuickTax 2007
2008-08-11 14:16 --------- d-----w C:\Documents and Settings\A Family\Application Data\Ahead
2008-08-11 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-11 13:55 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-11 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-11 13:52 --------- d-----w C:\Program Files\Nero
2008-08-11 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-10 22:37 --------- d-----w C:\Program Files\Java
2008-08-10 22:36 --------- d-----w C:\Program Files\Common Files\Java
2008-08-08 03:22 --------- d-----w C:\Program Files\DivX
marydiv
10-04-2008, 10:05 AM
2008-08-07 20:31 --------- d-----w C:\Documents and Settings\A Family\Application Data\SonyEricsson
2008-08-07 20:21 --------- d-----w C:\Program Files\BitTorrent
2008-08-07 20:19 --------- d-----w C:\Program Files\Sony Ericsson
2008-08-07 20:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 20:16 --------- d-----w C:\Program Files\Avanquest update
2008-08-07 20:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-08-07 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-07 20:10 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-07 20:10 47,360 ----a-w C:\Documents and Settings\AFamily\Application Data\pcouffin.sys
2008-08-07 20:10 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-08-07 17:49 --------- d-----w C:\Program Files\epson
2008-08-07 16:26 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Leadertech
2008-08-07 14:23 --------- d-----w C:\Program Files\NOS
2008-08-07 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-07 12:16 --------- d-----w C:\Program Files\Windows Live
2008-08-06 12:40 --------- d-----w C:\Program Files\Runtime Software
2008-08-06 12:19 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-06 12:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-05 21:12 --------- d-----w C:\Program Files\Western Digital Technologies
2008-08-05 19:34 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Windows Search
2008-08-05 19:33 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-08-05 19:31 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-05 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-05 18:50 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Intuit Canada
2008-08-05 18:49 --------- d-----w C:\Program Files\Common Files\Intuit
2008-08-05 18:49 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-08-05 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-08-05 17:53 --------- d-----w C:\Program Files\Microsoft Expression
2008-08-05 17:48 --------- d-----w C:\Program Files\MSBuild
2008-08-05 17:48 --------- d-----w C:\Program Files\Microsoft Works
2008-08-05 17:47 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-05 17:45 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-08-05 17:27 --------- d-----w C:\Program Files\COMODO
2008-08-05 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-08-05 17:26 102,400 ----a-w C:\WINDOWS\system32\drivers\cavasm.sys
2008-08-05 17:13 90,112 ----a-w C:\WINDOWS\DUMP66a9.tmp
2008-08-05 17:01 87,056 ----a-w C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-05 17:01 24,208 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-05 17:01 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Comodo
2008-08-05 16:51 --------- d-----w C:\Documents and Settings\AFamily\Application Data\Windows Desktop Search
2008-08-05 16:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-08-05 16:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-08-05 16:09 --------- d--h--w C:\Program Files\Zero G Registry
2008-08-05 16:09 --------- d-----w C:\Program Files\ATI
2008-08-05 16:08 --------- d-----w C:\Program Files\Gigabyte
2008-08-05 16:06 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-08-05 16:02 --------- d-----w C:\Program Files\Realtek
2008-08-05 16:01 --------- d-----w C:\Documents and Settings\AFamily\Application Data\InstallShield
2008-08-05 15:58 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-08-05 15:58 --------- d-----w C:\Program Files\DIFX
2008-08-05 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-08-05 15:57 --------- d-----w C:\Documents and Settings\AFamily\Application Data\ATI
2008-08-05 15:55 --------- d-----w C:\Program Files\ATI Technologies
2008-08-05 15:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-05 15:36 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-18 18:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"EasyTuneV"="C:\Program Files\Gigabyte\ET5\ETcall.exe" [2007-04-26 24576]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-05 1655552]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2008-08-05 110592]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"EPSON Stylus CX7800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE" [2005-04-07 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 C:\WINDOWS\RTHDCPL.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 C:\WINDOWS\system32\ico.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 15360]
C:\Documents and Settings\AFamily\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
2008-08-05 13:26 216576 C:\WINDOWS\system32\monln.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
marydiv
10-04-2008, 10:05 AM
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\COMODO\\Comodo AntiVirus\\CavEmSrv.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-05 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-05 24208]
R2 ATIWebPAM;ATI WebPAM;C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2004-09-22 12288]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2f71c7a6-64a9-11dd-962b-001d7da6d961}]
\Shell\AutoRun\command - setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{1CF662BF-4AFD-4778-8306-1F0EB8284EBB} - C:\WINDOWS\system32\ddcCSKDV.dll
BHO-{7308a567-3496-402c-a2f5-6962d04fd544} - C:\WINDOWS\system32\nyjeme.dll
BHO-{C0E4C84C-EDC0-4CA4-ADAE-91EECD888A07} - C:\WINDOWS\system32\fccbArpO.dll
HKCU-Run-LightScribe Control Panel - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM-Run-BM9f7111e1 - C:\WINDOWS\system32\qemgfkvc.dll
HKLM-Run-9c42227d - C:\WINDOWS\system32\enijxmtq.dll
ShellExecuteHooks-{1CF662BF-4AFD-4778-8306-1F0EB8284EBB} - C:\WINDOWS\system32\ddcCSKDV.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ca/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O18 -: Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
.
.
------- File Associations -------
.
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 08:41:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\Common\CAVASpy\cavasm.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\Program Files\Internet Explorer\iexplore.exe
.
************************************************** ************************
.
Completion time: 2008-10-04 8:50:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 12:48:25
Pre-Run: 104,357,203,968 bytes free
Post-Run: 104,119,242,752 bytes free
271 --- E O F --- 2008-09-11 11:59:28
marydiv
10-04-2008, 10:06 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:27 AM, on 04/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CF13645.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\psexec.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1CF662BF-4AFD-4778-8306-1F0EB8284EBB} - C:\WINDOWS\system32\ddcCSKDV.dll (file missing)
O2 - BHO: {445df40d-2696-5f2a-c204-6943765a8037} - {7308a567-3496-402c-a2f5-6962d04fd544} - C:\WINDOWS\system32\nyjeme.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C0E4C84C-EDC0-4CA4-ADAE-91EECD888A07} - C:\WINDOWS\system32\fccbArpO.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [BM9f7111e1] Rundll32.exe "C:\WINDOWS\system32\qemgfkvc.dll",s
O4 - HKLM\..\Run: [9c42227d] rundll32.exe "C:\WINDOWS\system32\enijxmtq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217952969828[/url]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [url]http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218407856349&h=cf2c28f7500ee80211f0bdaeb8336da4/&filename=jinstall-6u7-windows-i586-jc.cab[/url]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 8019 bytes
marydiv
10-04-2008, 10:24 AM
system is running slow
classicsoftware
10-04-2008, 01:31 PM
Open Hijackthis and place a check nest to:
O2 - BHO: (no name) - {1CF662BF-4AFD-4778-8306-1F0EB8284EBB} - C:\WINDOWS\system32\ddcCSKDV.dll (file missing)
O2 - BHO: {445df40d-2696-5f2a-c204-6943765a8037} - {7308a567-3496-402c-a2f5-6962d04fd544} - C:\WINDOWS\system32\nyjeme.dll (file missing)
O2 - BHO: (no name) - {C0E4C84C-EDC0-4CA4-ADAE-91EECD888A07} - C:\WINDOWS\system32\fccbArpO.dll (file missing)
O4 - HKLM\..\Run: [BM9f7111e1] Rundll32.exe "C:\WINDOWS\system32\qemgfkvc.dll",s
O4 - HKLM\..\Run: [9c42227d] rundll32.exe "C:\WINDOWS\system32\enijxmtq.dll",b
Close all open program and browser windows except fort HJT and click fix checked. Then:
Re-boot
Post a fresh log
tell me how the system is running.
marydiv
10-04-2008, 02:08 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:57 PM, on 04/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217952969828[/url]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [url]http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218407856349&h=cf2c28f7500ee80211f0bdaeb8336da4/&filename=jinstall-6u7-windows-i586-jc.cab[/url]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI WebPAM (ATIWebPAM) - Unknown owner - C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 7404 bytes
marydiv
10-04-2008, 02:10 PM
Luv it, luv it, luv it!!!! Smooth......pages are loading much faster. So far so good. Thanks to all of you! I thought this was gonna be a huge problem but it's worked out well. Thank God for this forum and those of you who are able to troubleshoot and guide!
marydiv
10-04-2008, 03:27 PM
Please let me know if there is anything else to be done based on the above log.
classicsoftware
10-04-2008, 05:53 PM
Now that you are clean, you need to keep it that way. Please follow the rules below. Pay careful attention to number 4. Since the release of Service Pack 2 for Windows XP, Microsoft has greatly improved the security of Windows. The majority of attacks now occur in other software. Adobe Acrobat Reader is the most attacked program right now. You need to keep your software up to date and the Secunia PSI is the best way to go.
You had spyware so it needed to be cleaned anyway, now you need to keep it that way.
How to Protect Yourself While On-Line
Make sure you have an up to date Antivirus. Scan Regularly. There are many free versions:
AVAST (http://www.avast.com/eng/download-avast-home.html)
AVG (http://free.grisoft.com/freeweb.php/doc/2/)
Antivir (http://www.free-av.com/antivirus/allinonen.html)
Make sure you have a software firewall and if you are on broadband, get behind a NAT router. There are also free versions:
Kerio (http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Sygate (http://www.filehippo.com/download_sygate_personal_firewall/)
Zone Alarm (http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp%3bjsessionid=BzJnZDxzyCUCcyZMB2t0Q co5IgutuYlrOMI5snmy1ZptQ2vOr1l1!776180791!-1062696904!7551!7552!-2099742426!-1062696903!7551!7552)
Keep Windows up to date. Visit Windows Update (http://windowsupdate.microsoft.com) and Office Update (http://office.microsoft.com/en-us/downloads/default.aspx) regularly.
Keep all of your software up to date. You can check on your software with the Secunia Software Inspector (http://secunia.com/software_inspector/). Sign up for e-mail notification and they will tell you when to check your system again.
Use Firefox (http://www.mozilla.org/products/) with the NoScript (http://noscript.net/) extension as your web browser.
Download, install and keep an updated version of SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html).
Do NOT click on links in any I.M. program.
Use Thunderbird (http://www.mozilla.com/en-US/thunderbird/) in place of Outlook or Outlook Express.
Use Foxit Reader (http://www.download.com/Foxit-PDF-Reader/3000-2079_4-10313206.html) with the PDF Download (https://addons.mozilla.org/en-US/firefox/addon/636) extension instead of Adobe Acrobat Reader.
DO NOT open attachments from ANYONE. Download them, and scan them with your AV before opening and only if your expect to receive them.
If you use IE download a copy of IE-Spyad (http://www.spywarewarrior.com/uiuc/resource.htm).
marydiv
10-04-2008, 07:34 PM
Thank you for these instructions. I'll get started on those steps that i'm lacking in.
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.