Recurring spyware

**laxaj** · 01-15-2008, 03:03 AM

Howdy,

I'm brilliant and I allow my roommates to play around with my computer, long story short, I'm saddled with a bunch of spyware stuff on my computer that spybot S&D and ad-aware se can't remove. Those programs will delete everything but something called Virtumunde or a variation of that name.

I poked around a bit and saw that this was causing some other folks the same problem so here I am!

Thanks, Alex

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:40 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\Brightness .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINDOWS\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\avp .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\mgrs.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrr.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp .exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8221] command /c del "C:\WINDOWS\system32\ssqrr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1608] cmd /c del "C:\WINDOWS\system32\ssqrr.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5912 bytes

**Budfred** · 01-15-2008, 08:52 PM

Yes, you have some garbage... The last time you requested help, you never responded... Please follow through this time...

Please do this:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**laxaj** · 01-16-2008, 04:09 PM

Originally Posted by Budfred

Yes, you have some garbage... The last time you requested help, you never responded... Please follow through this time...

Sorry

Anywho, the ComboFix log:

ComboFix 08-01-17.1 - Alex Johnson 2008-01-16 15:44:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1382 [GMT -5:00]
Running from: C:\Documents and Settings\Alex Johnson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex Johnson\Application Data\antivirus.exe
C:\Documents and Settings\Alex Johnson\Application Data\printer.exe
C:\Documents and Settings\Alex Johnson\Application Data\trant.exe
C:\Documents and Settings\Alex Johnson\Application Data\ultra
C:\Documents and Settings\Alex Johnson\Application Data\ultra\uninstall.bat
C:\Documents and Settings\Alex Johnson\Start Menu\Programs\Startup\findfast .exe
C:\Documents and Settings\Alex Johnson\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Helper
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinFP.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\spoolsv.exe
c:\program files\steam\steam.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Defender
C:\WINDOWS\avp .exe
C:\WINDOWS\avp .exe
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\mgrs.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\printer .exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\spoolvs .exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\xlibgfl254.dll

Code:

 <pre>
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> Reader_sl.exe
C:\Program Files\Apple Keyboard Support\KbdMgr .exe ---> KbdMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe ---> atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\Steam\steam .exe ---> steam.exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\printer .exe ---> QooBox
C:\WINDOWS\system32\spoolvs .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 15:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:59 . 2008-01-15 19:59 11,264 --a------ C:\Program Files\1289265.exe
2008-01-15 02:12 . 2008-01-15 18:42 <DIR> d-------- C:\VundoFix Backups
2008-01-15 02:04 . 2008-01-15 02:04 103,424 --a------ C:\WINDOWS\system32\drvtuw.dll
2008-01-15 00:57 . 2008-01-15 15:09 172,032 --a------ C:\WINDOWS\system32\Brightness .exe
2008-01-15 00:57 . 2008-01-15 02:01 65,536 --a------ C:\WINDOWS\system32\AppleTime .exe
2008-01-15 00:25 . 2008-01-15 00:25 11,264 --a------ C:\Program Files\6020156.exe
2008-01-15 00:25 . 2008-01-15 19:59 745 --a------ C:\WINDOWS\wininit.ini
2008-01-15 00:02 . 2008-01-15 15:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 00:02 . 2008-01-15 00:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 23:55 . 2008-01-14 23:55 103,424 --a------ C:\WINDOWS\system32\drvpep.dll
2008-01-14 22:53 . 2008-01-14 22:53 <DIR> d-------- C:\Program Files\ecm100
2008-01-14 22:22 . 2008-01-14 22:22 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 22:11 . 2008-01-14 22:18 <DIR> d-------- C:\Program Files\aoe3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-17 20:55 --------- d-----w C:\Program Files\Steam
2008-01-17 20:53 --------- d-----w C:\Program Files\iTunes
2008-01-17 20:53 --------- d-----w C:\Program Files\Apple Keyboard Support
2008-01-17 20:50 --------- d-----w C:\Program Files\QuickTime
2008-01-03 02:09 --------- d-s---w C:\Program Files\HLSW
2008-01-03 02:07 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-01-01 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 00:38 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\Azureus
2007-12-17 04:36 --------- d-----w C:\Program Files\World of Warcraft
2007-11-23 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 08:20 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 08:20 --------- d-----w C:\Program Files\Starcraft
2007-11-21 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 08:19 --------- d-----w C:\Program Files\Elecard
2007-11-21 08:04 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\dvdcss
2007-11-21 00:40 --------- d-----w C:\Program Files\Ventrilo
2007-11-21 00:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-12 01:27 1,202,101 ----a-w C:\Program Files\wrar37b4.exe
.

Code:

<pre>
----a-w            65,536 2008-01-15 07:01:25  C:\WINDOWS\system32\AppleTime .exe
----a-w           172,032 2008-01-15 20:09:46  C:\WINDOWS\system32\Brightness .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-16 15:36 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-16 15:36 344064]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2008-01-16 15:36 315392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe " [ ]
"Brightness"="C:\WINDOWS\system32\Brightness.e xe" [ ]
"SigmatelSysTrayApp"="sttray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 15:36 256576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 15:36 40048]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccdde]
ddccdde.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyA gent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 11:15]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\sys tem32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 11:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b67709ec-c31c-11dc-9cc1-0017f2b72e78}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\directx\command - F:\DirectX9\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 15:55:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-17 15:59:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 20:59:39

**laxaj** · 01-16-2008, 04:10 PM

aand the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:48 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O20 - Winlogon Notify: ddccdde - ddccdde.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5292 bytes

**Budfred** · 01-16-2008, 09:36 PM

That took out some of it, but there still seem to be some problems... Please do this:

http://www.bleepingcomputer.com/tuto...torial117.html

And then run this:

Download SDFix and save it to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the Registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the Desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your Desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Note that at least one infection may include a keylogger and that may have stolen any private info you have typed on this computer... This includes passwords and account numbers, so you may want to check with any financial company you have contacted through this computer and ask them to watch your accounts... Do NOT contact them with this computer, use the phone... Also, please stay offline as much as possible and do not install any programs other than those needed for cleanup...

**laxaj** · 01-16-2008, 10:56 PM

Originally Posted by Budfred

Note that at least one infection may include a keylogger and that may have stolen any private info you have typed on this computer... This includes passwords and account numbers, so you may want to check with any financial company you have contacted through this computer and ask them to watch your accounts... Do NOT contact them with this computer, use the phone... Also, please stay offline as much as possible and do not install any programs other than those needed for cleanup...

Yeah, only username and password I've used is this one for PCguide.

SDFIX Log:

SDFix: Version 1.127

Run by Alex Johnson on Thu 01/17/2008 at 10:20 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\ALEXJO~1\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 22:37:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BTHPORT\Parameters\Keys\0017f2b72e78]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:fb,cb,c5,8b,0d,97,fc,eb,4d,35,81,57,91 ,4d,d9,6d,27,ae,90,e4,39,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001]
"a0"=hex:20,01,00,00,9e,8e,bc,eb,97,6d,15,54,ca,5d ,0a,89,5e,c5,d9,4a,d0,..
"khjeh"=hex:99,2e,6d,a7,ae,dc,cc,87,d5,07,e3,e9,6c ,45,01,05,e3,2e,bc,48,8f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf40]
"khjeh"=hex:1d,af,b4,90,d9,f5,8a,44,03,10,76,46,f4 ,fc,c4,85,b4,d7,5f,54,e3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\B THPORT\Parameters\Keys\0017f2b72e78]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:fb,cb,c5,8b,0d,97,fc,eb,4d,35,81,57,91 ,4d,d9,6d,27,ae,90,e4,39,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,9e,8e,bc,eb,97,6d,15,54,ca,5d ,0a,89,5e,c5,d9,4a,d0,..
"khjeh"=hex:99,2e,6d,a7,ae,dc,cc,87,d5,07,e3,e9,6c ,45,01,05,e3,2e,bc,48,8f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:1d,af,b4,90,d9,f5,8a,44,03,10,76,46,f4 ,fc,c4,85,b4,d7,5f,54,e3,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Sat 27 Oct 2007 211 A.SH. --- "C:\BOOT.BAK"
Sun 8 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 8 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!

**laxaj** · 01-16-2008, 10:57 PM

and the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:13 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O20 - Winlogon Notify: ddccdde - ddccdde.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5273 bytes

**Budfred** · 01-17-2008, 08:10 AM

I think you are almost there... Please open a new HJT scan and put a check by:

O20 - Winlogon Notify: ddccdde - ddccdde.dll (file missing)

Close all open windows except HJT and press Fix checked...

Your Java is very much outdated and this is probably how you got infected in the first place, so please update it...

Updating Java:

Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
They should have this icon next to any that are there:
Select any found and click Remove.
Then Download and install the newest version from here:
- http://java.sun.com/javase/downloads/index.jsp

Now please download a fresh copy of ComboFix and post a new log as well as a fresh HJT log run after ComboFix and a reboot...

**laxaj** · 01-17-2008, 12:00 PM

For some reason it's saying the recovery console isn't installed?

ComboFix 08-01-17.5 - Alex Johnson 2008-01-18 11:47:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1642 [GMT -5:00]
Running from: C:\Documents and Settings\Alex Johnson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 11:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 11:44 . 2008-01-18 11:46 <DIR> d-------- C:\Program Files\Java
2008-01-18 11:44 . 2008-01-18 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:18 . 2008-01-17 22:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-17 22:06 . 2004-08-03 22:00 260,272 -r-hs---- C:\cmldr
2008-01-17 22:06 . 2007-10-27 15:06 211 --ahs---- C:\BOOT.BAK
2008-01-16 15:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:59 . 2008-01-15 19:59 11,264 --a------ C:\Program Files\1289265.exe
2008-01-15 02:12 . 2008-01-15 18:42 <DIR> d-------- C:\VundoFix Backups
2008-01-15 02:04 . 2008-01-15 02:04 103,424 --a------ C:\WINDOWS\system32\drvtuw.dll
2008-01-15 00:57 . 2008-01-15 15:09 172,032 --a------ C:\WINDOWS\system32\Brightness .exe
2008-01-15 00:57 . 2008-01-15 02:01 65,536 --a------ C:\WINDOWS\system32\AppleTime .exe
2008-01-15 00:25 . 2008-01-15 00:25 11,264 --a------ C:\Program Files\6020156.exe
2008-01-15 00:25 . 2008-01-15 19:59 745 --a------ C:\WINDOWS\wininit.ini
2008-01-14 23:55 . 2008-01-14 23:55 103,424 --a------ C:\WINDOWS\system32\drvpep.dll
2008-01-14 22:53 . 2008-01-14 22:53 <DIR> d-------- C:\Program Files\ecm100
2008-01-14 22:22 . 2008-01-14 22:22 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 22:11 . 2008-01-14 22:18 <DIR> d-------- C:\Program Files\aoe3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-18 16:51 --------- d-----w C:\Program Files\Steam
2008-01-17 20:53 --------- d-----w C:\Program Files\iTunes
2008-01-17 20:53 --------- d-----w C:\Program Files\Apple Keyboard Support
2008-01-17 20:50 --------- d-----w C:\Program Files\QuickTime
2008-01-03 02:09 --------- d-s---w C:\Program Files\HLSW
2008-01-03 02:07 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-01-01 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 00:38 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\Azureus
2007-12-17 04:36 --------- d-----w C:\Program Files\World of Warcraft
2007-11-23 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 08:20 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 08:20 --------- d-----w C:\Program Files\Starcraft
2007-11-21 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 08:19 --------- d-----w C:\Program Files\Elecard
2007-11-21 08:04 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\dvdcss
2007-11-21 00:40 --------- d-----w C:\Program Files\Ventrilo
2007-11-21 00:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-12 01:27 1,202,101 ----a-w C:\Program Files\wrar37b4.exe
.

Code:

<pre>
----a-w            65,536 2008-01-15 07:01:25  C:\WINDOWS\system32\AppleTime .exe
----a-w           172,032 2008-01-15 20:09:46  C:\WINDOWS\system32\Brightness .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-17_15.59.26.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 20:42:07 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 16:28:50 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 20:42:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 16:28:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 20:42:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 16:28:51 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 20:42:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 16:28:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 20:42:09 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 16:28:51 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 20:42:09 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 16:28:52 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 23:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-18 03:19:16 4,861,952 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-18 03:19:16 167,936 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-15 23:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-18 03:18:59 4,861,952 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-18 03:18:59 167,936 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2001-07-14 22:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2006-12-15 06:30:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-12-14 05:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-15 06:31:06 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 05:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-15 08:09:14 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-12-14 06:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-01-16 20:37:43 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-18 16:37:14 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-16 20:37:43 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-18 16:37:15 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-16 15:36 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-16 15:36 344064]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2008-01-16 15:36 315392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe " [ ]
"Brightness"="C:\WINDOWS\system32\Brightness.e xe" [ ]
"SigmatelSysTrayApp"="sttray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 15:36 256576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 15:36 40048]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyA gent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 11:15]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\sys tem32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 11:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b67709ec-c31c-11dc-9cc1-0017f2b72e78}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\directx\command - F:\DirectX9\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:51:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-18 11:54:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 16:54:46
ComboFix2.txt 2008-01-18 16:38:45
ComboFix3.txt 2008-01-17 20:59:43

**laxaj** · 01-17-2008, 12:00 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:11 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5487 bytes

**Budfred** · 01-17-2008, 09:20 PM

Your computer is still infected and you have some unidentifiable files as well... Please run the free scan here... I don't know if it will clean (I don't think so) or produce a log... If it doesn't produce a log, please copy what it says and post that here... Post the log if it creates one...

http://www.prevx.com/

**laxaj** · 01-17-2008, 10:46 PM

The program had a log, but I don't think I can access it without paying for the product.

These are the 4 things that it picked up~

C:\Windows\System32\drvtuw.dll Trojan.vundo
C:\Windows\System32\drvpep.dll Trojan.vundo
C:\Program Files\6020156.exe Downloader.Small.60.M
C:\Program Files\1289265.exe Downloader.Small.60.M

The program also won't allow me to use the cleanup option without paying for it

**Budfred** · 01-17-2008, 10:58 PM

No problem, those were the ones I was suspecting and you can nuke them with ComboFix... Do this:

Open Notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\drvtuw.dll
C:\Windows\System32\drvpep.dll
C:\Program Files\6020156.exe
C:\Program Files\1289265.exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Post the log in your next response...

**laxaj** · 01-17-2008, 11:07 PM

Wheee

ComboFix 08-01-17.5 - Alex Johnson 2008-01-18 23:00:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1586 [GMT -5:00]
Running from: C:\Documents and Settings\Alex Johnson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex Johnson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 22:38 . 2008-01-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-18 22:31 . 2008-01-18 22:38 <DIR> d-------- C:\Documents and Settings\Alex Johnson\Application Data\PrevxCSI
2008-01-18 11:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 11:44 . 2008-01-18 11:46 <DIR> d-------- C:\Program Files\Java
2008-01-18 11:44 . 2008-01-18 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:18 . 2008-01-17 22:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-17 22:06 . 2004-08-03 22:00 260,272 -r-hs---- C:\cmldr
2008-01-17 22:06 . 2007-10-27 15:06 211 --ahs---- C:\BOOT.BAK
2008-01-16 15:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:59 . 2008-01-15 19:59 11,264 --a------ C:\Program Files\1289265.exe
2008-01-15 02:12 . 2008-01-15 18:42 <DIR> d-------- C:\VundoFix Backups
2008-01-15 02:04 . 2008-01-15 02:04 103,424 --a------ C:\WINDOWS\system32\drvtuw.dll
2008-01-15 00:57 . 2008-01-15 15:09 172,032 --a------ C:\WINDOWS\system32\Brightness .exe
2008-01-15 00:57 . 2008-01-15 02:01 65,536 --a------ C:\WINDOWS\system32\AppleTime .exe
2008-01-15 00:25 . 2008-01-15 00:25 11,264 --a------ C:\Program Files\6020156.exe
2008-01-15 00:25 . 2008-01-15 19:59 745 --a------ C:\WINDOWS\wininit.ini
2008-01-14 23:55 . 2008-01-14 23:55 103,424 --a------ C:\WINDOWS\system32\drvpep.dll
2008-01-14 22:53 . 2008-01-14 22:53 <DIR> d-------- C:\Program Files\ecm100
2008-01-14 22:22 . 2008-01-14 22:22 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 22:11 . 2008-01-14 22:18 <DIR> d-------- C:\Program Files\aoe3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 04:03 --------- d-----w C:\Program Files\Steam
2008-01-17 20:53 --------- d-----w C:\Program Files\iTunes
2008-01-17 20:53 --------- d-----w C:\Program Files\Apple Keyboard Support
2008-01-17 20:50 --------- d-----w C:\Program Files\QuickTime
2008-01-03 02:09 --------- d-s---w C:\Program Files\HLSW
2008-01-03 02:07 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-01-01 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 00:38 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\Azureus
2007-12-17 04:36 --------- d-----w C:\Program Files\World of Warcraft
2007-11-23 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 08:20 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 08:20 --------- d-----w C:\Program Files\Starcraft
2007-11-21 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 08:19 --------- d-----w C:\Program Files\Elecard
2007-11-21 08:04 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\dvdcss
2007-11-21 00:40 --------- d-----w C:\Program Files\Ventrilo
2007-11-21 00:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 06:39 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-12 01:27 1,202,101 ----a-w C:\Program Files\wrar37b4.exe
.

Code:

<pre>
----a-w            65,536 2008-01-15 07:01:25  C:\WINDOWS\system32\AppleTime .exe
----a-w           172,032 2008-01-15 20:09:46  C:\WINDOWS\system32\Brightness .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-18_11.54.35.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 16:28:50 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 04:00:06 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 16:28:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 04:00:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 16:28:51 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 04:00:07 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 16:28:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 04:00:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 16:28:51 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 04:00:07 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 16:28:52 167,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 04:00:07 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-16 15:36 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-16 15:36 344064]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2008-01-16 15:36 315392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe " [ ]
"Brightness"="C:\WINDOWS\system32\Brightness.e xe" [ ]
"SigmatelSysTrayApp"="sttray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 15:36 256576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 15:36 40048]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyA gent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 11:15]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\sys tem32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 11:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b67709ec-c31c-11dc-9cc1-0017f2b72e78}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\directx\command - F:\DirectX9\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 23:03:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-18 23:05:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 04:05:56
ComboFix2.txt 2008-01-18 16:54:49
ComboFix3.txt 2008-01-18 16:38:45
ComboFix4.txt 2008-01-17 20:59:43

**laxaj** · 01-17-2008, 11:10 PM

I took the liberty to rescan it with the Prevx program, it's still showing the same .exe and .dll files:

C:\Windows\System32\drvtuw.dll
C:\Windows\System32\drvpep.dll
C:\Program Files\6020156.exe
C:\Program Files\1289265.exe

**Budfred** · 01-17-2008, 11:12 PM

Hopefully that is because it is picking them up in quarantine... Please do this and then try the Prevx scan again...

Click Start > Run > type in ComboFix /u
Note the space, it needs to be there.

It deletes all the files that CF drops in the system, deletes CF itself and its folders, deletes qoobox, vundofix backups, dss folder (C:\deckard), delete otmoveit folder, and regbackups created by erunt through cf.

It resets clock settings, hidden file extensions, hide system files, resets System Restore.

You may need to get ComboFix again if there are still problems, but it is best to get fresh copies anyway since it is being updated constantly...

**Budfred** · 01-17-2008, 11:14 PM

No, they are still there... See if you can find them and kill them yourself... If you can't, you will need another tool to go after them...

**laxaj** · 01-17-2008, 11:16 PM

Originally Posted by Budfred

Hopefully that is because it is picking them up in quarantine... Please do this and then try the Prevx scan again...

Click Start > Run > type in ComboFix /u
Note the space, it needs to be there.

It deletes all the files that CF drops in the system, deletes CF itself and its folders, deletes qoobox, vundofix backups, dss folder (C:\deckard), delete otmoveit folder, and regbackups created by erunt through cf.

It resets clock settings, hidden file extensions, hide system files, resets System Restore.

You may need to get ComboFix again if there are still problems, but it is best to get fresh copies anyway since it is being updated constantly...

Seems like they're still there...

**Budfred** · 01-17-2008, 11:20 PM

Yes, they are... Did you read the next message I posted??

**laxaj** · 01-17-2008, 11:40 PM

I deleted them and they haven't come back yet... Should I post a HJT/Combofix log?

**Budfred** · 01-18-2008, 07:47 AM

Just go with a ComboFix log since it is what is picking them up and then let me know how your computer is doing...

**laxaj** · 01-18-2008, 12:37 PM

ComboFix 08-01-18.4 - Alex Johnson 2008-01-19 12:27:00.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT -5:00]
Running from: C:\Documents and Settings\Alex Johnson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 23:37 . 2008-01-18 23:37 <DIR> d-------- C:\Program Files\PrevxCSI
2008-01-18 23:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 22:38 . 2008-01-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-18 22:31 . 2008-01-18 23:37 <DIR> d-------- C:\Documents and Settings\Alex Johnson\Application Data\PrevxCSI
2008-01-18 11:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 11:44 . 2008-01-18 11:46 <DIR> d-------- C:\Program Files\Java
2008-01-18 11:44 . 2008-01-18 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:18 . 2008-01-17 22:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-17 22:06 . 2004-08-03 22:00 260,272 -r-hs---- C:\cmldr
2008-01-17 22:06 . 2007-10-27 15:06 211 --ahs---- C:\BOOT.BAK
2008-01-15 00:57 . 2008-01-15 15:09 172,032 --a------ C:\WINDOWS\system32\Brightness .exe
2008-01-15 00:57 . 2008-01-15 02:01 65,536 --a------ C:\WINDOWS\system32\AppleTime .exe
2008-01-15 00:25 . 2008-01-15 19:59 745 --a------ C:\WINDOWS\wininit.ini
2008-01-14 22:53 . 2008-01-14 22:53 <DIR> d-------- C:\Program Files\ecm100
2008-01-14 22:22 . 2008-01-14 22:22 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 22:11 . 2008-01-14 22:18 <DIR> d-------- C:\Program Files\aoe3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 17:32 --------- d-----w C:\Program Files\Steam
2008-01-17 20:53 --------- d-----w C:\Program Files\iTunes
2008-01-17 20:53 --------- d-----w C:\Program Files\Apple Keyboard Support
2008-01-17 20:50 --------- d-----w C:\Program Files\QuickTime
2008-01-03 02:09 --------- d-s---w C:\Program Files\HLSW
2008-01-03 02:07 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-01-01 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 00:38 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\Azureus
2007-12-17 04:36 --------- d-----w C:\Program Files\World of Warcraft
2007-11-23 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 08:20 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 08:20 --------- d-----w C:\Program Files\Starcraft
2007-11-21 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 08:19 --------- d-----w C:\Program Files\Elecard
2007-11-21 08:04 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\dvdcss
2007-11-21 00:40 --------- d-----w C:\Program Files\Ventrilo
2007-11-21 00:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 06:39 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-12 01:27 1,202,101 ----a-w C:\Program Files\wrar37b4.exe
.

Code:

<pre>
----a-w            65,536 2008-01-15 07:01:25  C:\WINDOWS\system32\AppleTime .exe
----a-w           172,032 2008-01-15 20:09:46  C:\WINDOWS\system32\Brightness .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-16 15:36 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-16 15:36 344064]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2008-01-16 15:36 315392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe " [ ]
"Brightness"="C:\WINDOWS\system32\Brightness.e xe" [ ]
"SigmatelSysTrayApp"="sttray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 15:36 256576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 15:36 40048]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-18 23:36 92160]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyA gent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 11:15]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\sys tem32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 11:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b67709ec-c31c-11dc-9cc1-0017f2b72e78}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\directx\command - F:\DirectX9\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 12:32:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-19 12:35:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 17:35:54
ComboFix2.txt 2008-01-19 04:25:54
ComboFix3.txt 2008-01-19 04:06:00

**Budfred** · 01-18-2008, 11:31 PM

It looks like the mess is mostly cleaned up... To clean up a bit more, please do this:

Open Notepad and copy/paste the text in the quotebox below into it:

RenV::
C:\WINDOWS\system32\AppleTime .exe
C:\WINDOWS\system32\Brightness .exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Post the log in your next response...

Also, please run the free scanner here and post the log:

http://www.kaspersky.com/virusscanner

And again, I need to know how your computer is working...

**laxaj** · 01-19-2008, 03:19 AM

Oh that's what you meant.. It's running just fine, it only got screwy a few days ago when there were like 150 things getting picked up on spybot S&D.

Combofix:
ComboFix 08-01-18.4 - Alex Johnson 2008-01-19 23:46:16.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1617 [GMT -5:00]
Running from: C:\Documents and Settings\Alex Johnson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex Johnson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-18 23:37 . 2008-01-18 23:37 <DIR> d-------- C:\Program Files\PrevxCSI
2008-01-18 23:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 22:38 . 2008-01-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-18 22:31 . 2008-01-18 23:37 <DIR> d-------- C:\Documents and Settings\Alex Johnson\Application Data\PrevxCSI
2008-01-18 11:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 11:44 . 2008-01-18 11:46 <DIR> d-------- C:\Program Files\Java
2008-01-18 11:44 . 2008-01-18 11:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 22:18 . 2008-01-17 22:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-17 22:06 . 2004-08-03 22:00 260,272 -r-hs---- C:\cmldr
2008-01-17 22:06 . 2007-10-27 15:06 211 --ahs---- C:\BOOT.BAK
2008-01-15 00:57 . 2008-01-15 15:09 172,032 --a------ C:\WINDOWS\system32\Brightness .exe
2008-01-15 00:57 . 2008-01-15 02:01 65,536 --a------ C:\WINDOWS\system32\AppleTime .exe
2008-01-15 00:25 . 2008-01-15 19:59 745 --a------ C:\WINDOWS\wininit.ini
2008-01-14 22:53 . 2008-01-14 22:53 <DIR> d-------- C:\Program Files\ecm100
2008-01-14 22:22 . 2008-01-14 22:22 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-14 22:11 . 2008-01-14 22:18 <DIR> d-------- C:\Program Files\aoe3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-20 04:49 --------- d-----w C:\Program Files\Steam
2008-01-17 20:53 --------- d-----w C:\Program Files\iTunes
2008-01-17 20:53 --------- d-----w C:\Program Files\Apple Keyboard Support
2008-01-17 20:50 --------- d-----w C:\Program Files\QuickTime
2008-01-03 02:09 --------- d-s---w C:\Program Files\HLSW
2008-01-03 02:07 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-01-01 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-20 00:38 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\Azureus
2007-12-17 04:36 --------- d-----w C:\Program Files\World of Warcraft
2007-11-23 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-21 08:20 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 08:20 --------- d-----w C:\Program Files\Starcraft
2007-11-21 08:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 08:19 --------- d-----w C:\Program Files\Elecard
2007-11-21 08:04 --------- d-----w C:\Documents and Settings\Alex Johnson\Application Data\dvdcss
2007-11-21 00:40 --------- d-----w C:\Program Files\Ventrilo
2007-11-21 00:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-12 01:27 1,202,101 ----a-w C:\Program Files\wrar37b4.exe
.

Code:

<pre>
----a-w            65,536 2008-01-15 07:01:25  C:\WINDOWS\system32\AppleTime .exe
----a-w           172,032 2008-01-15 20:09:46  C:\WINDOWS\system32\Brightness .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-18_23.25.40.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 04:19:03 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 04:46:06 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 04:19:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 04:46:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 04:19:03 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 04:46:07 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 04:19:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 04:46:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 04:19:04 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 04:46:07 4,861,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 04:19:04 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 04:46:07 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-01-16 15:36 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-16 15:36 344064]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2008-01-16 15:36 315392]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe " [ ]
"Brightness"="C:\WINDOWS\system32\Brightness.e xe" [ ]
"SigmatelSysTrayApp"="sttray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-16 15:36 256576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-16 15:36 40048]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-18 23:36 92160]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyA gent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 aapltp;Apple Trackpad Driver;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2006-10-19 11:15]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\sys tem32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 aapltctp;Apple Trackpad filter;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-10-19 11:15]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b67709ec-c31c-11dc-9cc1-0017f2b72e78}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\directx\command - F:\DirectX9\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 23:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-19 23:52:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 04:52:17
ComboFix2.txt 2008-01-19 17:35:58
ComboFix3.txt 2008-01-19 04:25:54
ComboFix4.txt 2008-01-19 04:06:00

**laxaj** · 01-19-2008, 03:20 AM

Is there a way to access a cleaner log from that program? This is what it found..

detected: Trojan program Trojan.Win32.Dialer.yz File: C:\System Volume Information\_restore{D50C95E7-0D1E-46D5-AC5E-44FE5B9CB3B2}\RP343\A0071765.dll//PE_Patch.PECompact//PecBundle//PECompact

detected: Trojan program Trojan.Win32.Dialer.yz File: C:\System Volume Information\_restore{D50C95E7-0D1E-46D5-AC5E-44FE5B9CB3B2}\RP343\A0071766.dll//PE_Patch.PECompact//PecBundle//PECompact

detected: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\System Volume Information\_restore{D50C95E7-0D1E-46D5-AC5E-44FE5B9CB3B2}\RP343\A0071767.exe//PE_Patch.PECompact//PecBundle//PECompact

detected: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\System Volume Information\_restore{D50C95E7-0D1E-46D5-AC5E-44FE5B9CB3B2}\RP343\A0071768.exe//PE_Patch.PECompact//PecBundle//PECompact

detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\Program Files\QuickTime\qttask.exe

Thread: Recurring spyware

Thread Tools

Recurring spyware

Thread Information

Users Browsing this Thread

Posting Permissions