1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

zlob trojan infection.. (win32 combo?)

Discussion in 'Virus & Other Malware Removal' started by xj700t, Apr 3, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    Hi!
    I've been infected, as the post title says- by a zlob trojan due to my careless surfing...
    as of since it gives me a "windows look alike" system error popup, every time i open a folder or a new browser page, and hijacks google to porn sites, with the following information:
    " system error!
    your system was infected by zlob trojan.
    it's very dangerous to your system (critical data can be lost)!
    click ok to download antimalware application to clean your hard disk! (reccomended)
    Y\N
    "

    did a scan with NOD32. nothing unusual. did a HJT scan. nothing i can see. perhaps you can help?
    thankes for your patronage.
    btw, i've also been suffering from win32 generic host services. any advice\relation?

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:13:52, on 03/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\012Net\012Net-Cable dialer\fts.exe
    C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Administrator\שולחן העבודה\תיקיה חדשה\(E)lephant by SK\(E)lephant.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\שולחן העבודה\תיקיה חדשה\(E)lephant by SK\Plugins\(E)lephant - RS.Downloader.exe
    D:\Program Files\Hijack This\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://012.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
    O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
    O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
    O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 212.117.129.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 212.117.129.5
    O22 - SharedTaskScheduler: כלי הטעינה מראש של Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: שרת (Daemon) של מטמון קטגוריות רכיבים - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

    --
    End of file - 5458 bytes
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    Hi and welcome to TSG,

    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.
     
  3. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    Smit's log follows. btw, ill only be accesing the computer thursdays to saturdays as i'm working away from home through the week.
    SmitFraudFix v2.311

    Scan done at 20:28:40.95, Thu 04/10/2008
    Run from C:\Documents and Settings\Administrator\™…Œ‡ „’…ƒ„\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\012Net\012Net-Cable dialer\fts.exe
    C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="ƒ“ „‰š „…‹‡‰ ™Œ‰"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: WAN (PPP/SLIP) Interface
    DNS Server Search Order: 80.179.52.100
    DNS Server Search Order: 212.117.129.5

    Description: Broadcom NetLink (TM) Gigabit Ethernet - מיני-יציאה של מתזמן מנות
    DNS Server Search Order: 192.168.101.101
    DNS Server Search Order: 192.168.101.102

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer=80.179.52.100 212.117.129.5
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer=80.179.52.100 212.117.129.5
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{6416AC22-FB6C-4E3B-8B72-6F947062EA3A}: DhcpNameServer=192.168.101.101 192.168.101.102
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.101.101 192.168.101.102


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
     
  5. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    here are the requested logs:

    Combo Fix:

    ComboFix 08-04-11.7 - Administrator 04/12/2008 12:42:31.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.692 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
    2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
    2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
    2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
    2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-02 20:33 57 ----a-w C:\smp.bat
    2008-04-02 20:33 203,264 ----a-w C:\WINDOWS\kiasys.dll
    2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
    2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
    2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
    2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
    2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
    2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
    2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
    2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
    2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
    2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
    2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
    2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
    2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
    2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
    2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
    2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
    2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-02-15 18:12 --------- d-----w C:\Program Files\BlackIsle
    2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
    2008-01-16 16:25 679,936 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
    .

    ------- Sigcheck -------

    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}]
    04/02/2008 10:33 PM 203264 --a------ C:\WINDOWS\kiasys.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
    "TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
    "DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
    "%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
    "%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
    "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
    "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

    C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
    hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    --------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    --a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    --a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    C:\Program Files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9788:TCP"= 9788:TCP:BitComet 9788 TCP
    "9788:UDP"= 9788:UDP:BitComet 9788 UDP
    "7600:TCP"= 7600:TCP:BitComet 7600 TCP
    "7600:UDP"= 7600:UDP:BitComet 7600 UDP

    R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
    S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
    S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-11 17:37:53 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2008\OneClick.exe
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-12 12:43:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 04/12/2008 12:44:04
    ComboFix-quarantined-files.txt 2008-04-12 10:43:59
    Pre-Run: 60,310,519,808 bytes free
    Post-Run: 60,302,770,176 bytes free


    New HJT log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 12:45:48, on 12/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\012Net\012Net-Cable dialer\fts.exe
    C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
    D:\Program Files\DAEMON Tools\daemon.exe
    D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    D:\Program Files\Hijack This\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://012.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
    O2 - BHO: Media Codec - {8B580E40-6B46-44C8-9E80-A5AD6E1D1035} - C:\WINDOWS\kiasys.dll
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
    O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
    O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 84.95.14.250
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5E0A7729-C5E4-42CC-AC2B-AA10F5107AD9}: NameServer = 80.179.52.100 84.95.14.250
    O22 - SharedTaskScheduler: כלי הטעינה מראש של Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: שרת (Daemon) של מטמון קטגוריות רכיבים - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
    O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

    --
    End of file - 5283 bytes
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    • Download FixIEDef.exe by ShadowPuterDude to your Desktop.

    • Double-click FixIEDef.exe:
      [​IMG]

    • That will open the About FixIEDef screen. Click OK to continue:
      [​IMG]

    • Next, press the Scan! button:
      [​IMG]

    • FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
      [​IMG]

    • Wait for the scan to finish. It shouldn't take very long:


      [​IMG]


      [​IMG]
      • WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

    • After the !!! All Finished !!! message is displayed, click Exit:
      [​IMG]

    • Post the FixIEDef log file, located on the Desktop along with the contents of a fresh DSS main.txt.
    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    See: http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  7. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    ok, here's the FixIEDef log requested, however... i dont have the slightest idea of whats a "fresh DSS main.txt..." where can i find it again?
    ...

    ********************************************************************************
    * *
    * FixIEDef Log *
    * Version 1.3.14.3501 *
    * *
    ********************************************************************************

    Created at 15:28:12 on Thursday, April 17, 2008

    Time Zone :

    Operating System : Microsoft Windows XP Professional
    Service Pack Level: Service Pack 2
    System Langauge : Other
    Processor : X86
    Boot State : Normal boot

    --------------------------------------------------------------------------------

    !!! Files that have been deleted !!!

    C:\smp.bat
    C:\WINDOWS\iun6002.exe
    C:\WINDOWS\kiasys.dll

    --------------------------------------------------------------------------------

    !!! Directories that have been removed !!!

    No malicious directories to be removed

    --------------------------------------------------------------------------------

    !!! Registry entries that have been removed !!!

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind "comment"
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\bind "comment2"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\DateTime
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B580E40-6B46-44C8-9E80-A5AD6E1D1035}

    ================================================================================

    All Done :)

    ShadowPuterDude

    Safe Surfing!!!
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    Sorry. Please disregard the DSS comment. I should have removed that before posting it.

    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]


    Now go to the following link and redownload the latest version of ComboFix then do a scan and post the log please.

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
  9. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    ok. i have the log. and since the last post i've made the problem pretty much disappeared. including pop-ups and the google hijack. probably better safe than sorry:

    ComboFix 08-04-18.3 - Administrator 04/19/2008 10:36:13.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.678 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
    2008-04-10 18:28 1,528 ----a-w C:\WINDOWS\system32\tmp.reg
    2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
    2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
    2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
    2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
    2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
    2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
    2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
    2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
    2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
    2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
    2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
    2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
    2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
    2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
    2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
    2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
    2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
    2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
    2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
    2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
    2008-01-23 17:31 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
    .

    ------- Sigcheck -------

    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
    "TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
    "DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
    "%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
    "%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
    "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
    "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

    C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
    hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    --------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    --a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    --a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    C:\Program Files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9788:TCP"= 9788:TCP:BitComet 9788 TCP
    "9788:UDP"= 9788:UDP:BitComet 9788 UDP
    "7600:TCP"= 7600:TCP:BitComet 7600 TCP
    "7600:UDP"= 7600:UDP:BitComet 7600 UDP

    R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
    S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
    S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-18 15:16:36 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2008\OneClick.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-19 10:36:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 04/19/2008 10:37:20
    ComboFix-quarantined-files.txt 2008-04-19 08:37:15
    ComboFix2.txt 2008-04-19 08:35:00
    ComboFix3.txt 2008-04-12 10:44:05

    Pre-Run: 61,753,413,632 bytes free
    Post-Run: 61,746,208,768 bytes free

    129
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    You did not disable your anti-virus before running the scan. It's hard to tell how that has affected ComboFix. I find it highly unlikely that no files have been created in the past month.

    Please uninstall it again and redownload and be sure to disable all anti-virus/malware programs.
     
  11. xj700t

    xj700t Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    6
    sorry about that. my bad...
    here's the log:

    ComboFix 08-04-18.3 - Administrator 04/20/2008 9:44:04.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.720 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\שולחן העבודה\ComboFix.exe
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-12 10:42 --------- d-----w C:\Program Files\ESET
    2008-04-10 18:28 1,528 ----a-w C:\WINDOWS\system32\tmp.reg
    2008-04-08 20:44 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
    2008-04-04 12:40 --------- d-----w C:\Program Files\Common Files\DirectX
    2008-04-03 12:32 --------- d-----w C:\Program Files\Common Files\EasyInfo
    2008-04-03 10:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-02 05:54 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-04-01 05:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
    2008-04-01 05:36 --------- d-----w C:\Program Files\VideoLAN
    2008-03-31 13:57 --------- d-----w C:\Program Files\Combined Community Codec Pack
    2008-03-28 22:19 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
    2008-03-25 14:06 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
    2008-03-25 11:43 --------- d-----w C:\Program Files\Common Files\INCA Shared
    2008-03-25 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-25 11:42 --------- d-----w C:\Program Files\NHN USA
    2008-03-19 14:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2008-03-15 16:23 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
    2008-03-15 16:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
    2008-03-15 16:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
    2008-03-15 16:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
    2008-03-14 15:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
    2008-03-13 17:43 --------- d-----w C:\Program Files\Common Files\FTL Shared
    2008-03-05 14:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
    2008-03-05 14:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
    2008-03-05 14:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
    2008-03-05 13:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
    2008-03-05 13:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
    2008-03-01 20:45 --------- d-----w C:\Program Files\Mv2Player
    2008-02-15 18:13 52,736 ----a-w C:\WINDOWS\ipuninst.exe
    2008-02-05 21:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
    2008-01-23 17:31 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
    .

    ------- Sigcheck -------

    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\dllcache\tcpip.sys
    04/02/2008 07:54 AM 359040 ce0ef073219f35972dabf5b61b395a4b C:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 02:00 PM 15360]
    "TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [12/21/2007 03:17 PM 196864]
    "DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM 171464]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/26/2007 10:48 AM 949376]
    "%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [08/11/2005 02:18 PM 83608]
    "%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [12/13/2005 10:03 AM 801280]
    "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM 267064]
    "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM 286720]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 02:00 PM 15360]

    C:\Documents and Settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
    hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    --------- 01/07/2005 05:07 PM 61952 C:\WINDOWS\system32\HdAShCut.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 07/09/2001 04:50 AM 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    --a------ 11/02/2004 08:24 PM 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    --a------ 11/10/2006 12:35 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    C:\Program Files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9788:TCP"= 9788:TCP:BitComet 9788 TCP
    "9788:UDP"= 9788:UDP:BitComet 9788 UDP
    "7600:TCP"= 7600:TCP:BitComet 7600 TCP
    "7600:UDP"= 7600:UDP:BitComet 7600 UDP

    R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [08/27/2004 02:00 PM]
    S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [03/15/2008 06:23 PM]
    S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;C:\WINDOWS\system32\DRIVERS\Wirelecf.SYS [09/07/2005 11:09 AM]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-18 15:16:36 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2008\OneClick.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-20 09:45:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 04/20/2008 9:45:42
    ComboFix-quarantined-files.txt 2008-04-20 07:45:40
    ComboFix2.txt 2008-04-19 08:37:21

    Pre-Run: 61,510,930,432 bytes free
    Post-Run: 61,624,107,008 bytes free

    127


    btw, i've noticed that every time i run combofix it gives me the "no new files have been created" notice. although i pretty much terminated every not necessary process before this scan. this includes the first time i've ran the program (log at reply no.#5)
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,388
    First Name:
    Karen
    It still shows your anti-virus program was active.

    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.


    Please run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/699835

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice