zlob trojan infection.. (win32 combo?)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
Hi!
I've been infected, as the post title says- by a zlob trojan due to my careless surfing...
as of since it gives me a "windows look alike" system error popup, every time i open a folder or a new browser page, and hijacks google to porn sites, with the following information:
" system error!
your system was infected by zlob trojan.
it's very dangerous to your system (critical data can be lost)!
click ok to download antimalware application to clean your hard disk! (reccomended)
Y\N
"

did a scan with NOD32. nothing unusual. did a HJT scan. nothing i can see. perhaps you can help?
thankes for your patronage.
btw, i've also been suffering from win32 generic host services. any advice\relation?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:13:52, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\שולחן העבודה\תיקיה חדשה\(E)lephant by SK\(E)lephant.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\שולחן העבודה\תיקיה חדשה\(E)lephant by SK\Plugins\(E)lephant - RS.Downloader.exe
D:\Program Files\Hijack This\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://012.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 212.117.129.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 212.117.129.5
O22 - SharedTaskScheduler: כלי הטעינה מראש של Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: שרת (Daemon) של מטמון קטגוריות רכיבים - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 5458 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
Hi and welcome to TSG,

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.
 

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
Smit's log follows. btw, ill only be accesing the computer thursdays to saturdays as i'm working away from home through the week.
SmitFraudFix v2.311

Scan done at 20:28:40.95, Thu 04/10/2008
Run from C:\Documents and Settings\Administrator\™…Œ‡ „’…ƒ„\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="ƒ“ „‰š „…‹‡‰ ™Œ‰"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 80.179.52.100
DNS Server Search Order: 212.117.129.5

Description: Broadcom NetLink (TM) Gigabit Ethernet - מיני-יציאה של מתזמן מנות
DNS Server Search Order: 192.168.101.101
DNS Server Search Order: 192.168.101.102

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer=80.179.52.100 212.117.129.5
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer=80.179.52.100 212.117.129.5
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.101.101 192.168.101.102


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
 

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
here are the requested logs:

Combo Fix:

ComboFix 08-04-11.7 - Administrator 04/12/2008 12:42:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.692 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 20:33 57 ----a-w C:\smp.bat
2008-04-02 20:33 203,264 ----a-w C:\WINDOWS\kiasys.dll
2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-02-15 18:12 --------- d-----w C:\Program Files\BlackIsle
2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2008-01-16 16:25 679,936 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
.

------- Sigcheck -------

04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}]
04/02/2008 10:33 PM 203264 --a------ C:\WINDOWS\kiasys.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
"%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
"%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9788:TCP"= 9788:TCP:BitComet 9788 TCP
"9788:UDP"= 9788:UDP:BitComet 9788 UDP
"7600:TCP"= 7600:TCP:BitComet 7600 TCP
"7600:UDP"= 7600:UDP:BitComet 7600 UDP

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 17:37:53 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 12:43:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/12/2008 12:44:04
ComboFix-quarantined-files.txt 2008-04-12 10:43:59
Pre-Run: 60,310,519,808 bytes free
Post-Run: 60,302,770,176 bytes free


New HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:45:48, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Hijack This\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://012.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 84.95.14.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 84.95.14.250
O22 - SharedTaskScheduler: כלי הטעינה מראש של Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: שרת (Daemon) של מטמון קטגוריות רכיבים - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 5283 bytes
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
  • Download FixIEDef.exe by ShadowPuterDude to your Desktop.

  • Double-click FixIEDef.exe:


  • That will open the About FixIEDef screen. Click OK to continue:


  • Next, press the Scan! button:


  • FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:


  • Wait for the scan to finish. It shouldn't take very long:





    • WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

  • After the !!! All Finished !!! message is displayed, click Exit:


  • Post the FixIEDef log file, located on the Desktop along with the contents of a fresh DSS main.txt.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlogic.org/consulting/proc...processutil.htm
 

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
ok, here's the FixIEDef log requested, however... i dont have the slightest idea of whats a "fresh DSS main.txt..." where can i find it again?
...

********************************************************************************
* *
* FixIEDef Log *
* Version 1.3.14.3501 *
* *
********************************************************************************

Created at 15:28:12 on Thursday, April 17, 2008

Time Zone :

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : Other
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\smp.bat
C:\WINDOWS\iun6002.exe
C:\WINDOWS\kiasys.dll

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind "comment"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind "comment2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DateTime
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
Sorry. Please disregard the DSS comment. I should have removed that before posting it.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


Now go to the following link and redownload the latest version of ComboFix then do a scan and post the log please.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
ok. i have the log. and since the last post i've made the problem pretty much disappeared. including pop-ups and the google hijack. probably better safe than sorry:

ComboFix 08-04-18.3 - Administrator 04/19/2008 10:36:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.678 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
2008-04-10 18:28 1,528 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2008-01-23 17:31 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
.

------- Sigcheck -------

04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
"%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
"%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9788:TCP"= 9788:TCP:BitComet 9788 TCP
"9788:UDP"= 9788:UDP:BitComet 9788 UDP
"7600:TCP"= 7600:TCP:BitComet 7600 TCP
"7600:UDP"= 7600:UDP:BitComet 7600 UDP

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 15:16:36 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 10:36:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/19/2008 10:37:20
ComboFix-quarantined-files.txt 2008-04-19 08:37:15
ComboFix2.txt 2008-04-19 08:35:00
ComboFix3.txt 2008-04-12 10:44:05

Pre-Run: 61,753,413,632 bytes free
Post-Run: 61,746,208,768 bytes free

129
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
You did not disable your anti-virus before running the scan. It's hard to tell how that has affected ComboFix. I find it highly unlikely that no files have been created in the past month.

Please uninstall it again and redownload and be sure to disable all anti-virus/malware programs.
 

xj700t

Thread Starter
Joined
Apr 3, 2008
Messages
6
sorry about that. my bad...
here's the log:

ComboFix 08-04-18.3 - Administrator 04/20/2008 9:44:04.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.720 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
2008-04-10 18:28 1,528 ----a-w C:\WINDOWS\system32\tmp.reg
2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
2008-01-23 17:31 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
.

------- Sigcheck -------

04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
"%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
"%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9788:TCP"= 9788:TCP:BitComet 9788 TCP
"9788:UDP"= 9788:UDP:BitComet 9788 UDP
"7600:TCP"= 7600:TCP:BitComet 7600 TCP
"7600:UDP"= 7600:UDP:BitComet 7600 UDP

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 15:16:36 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 09:45:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/20/2008 9:45:42
ComboFix-quarantined-files.txt 2008-04-20 07:45:40
ComboFix2.txt 2008-04-19 08:37:21

Pre-Run: 61,510,930,432 bytes free
Post-Run: 61,624,107,008 bytes free

127


btw, i've noticed that every time i run combofix it gives me the "no new files have been created" notice. although i pretty much terminated every not necessary process before this scan. this includes the first time i've ran the program (log at reply no.#5)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,017
It still shows your anti-virus program was active.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Please run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top