Hi, I have somehow got infected with Virtumonde. It keeps re-establishing itself even after deletion using Ad-Aware. Would appreciate some assistance. Thanks :: MartinB
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:21 p.m., on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\system32\brsvc01a.exe
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 3569 bytes
Full Version: Need help with elimination of Virtumonde
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hi,
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!
* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.
Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!
* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.
Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
QUOTE(miekiemoes @ Dec 10 2007, 02:27 AM) 
Hi,
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!
* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.
Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!
* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.
Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
Many thanks for your help. I have regularly run PandaSoftware online virus scan in the past. I think Virtumonde came after DL an outdated version of Java Runtime Environment. Here are the new logs:
AntiVir PersonalEdition Classic
Report file date: Tuesday, 11 December 2007 18:02
Scanning for 965647 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: SEMPRON-ASUS
Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 01:16:30
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 00:23:52
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 03:32:48
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 00:35:22
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:55:16
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 04:55:16
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 04:55:16
ANTIVIR3.VDF : 7.0.1.67 138752 Bytes 12/10/2007 04:55:16
AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 12/11/2007 04:55:18
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/25/2007 22:36:28
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/17/2007 19:39:18
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 01:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/2/2007 20:46:02
AVREG.DLL : 7.0.1.6 30760 Bytes 7/17/2007 19:17:08
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 00:26:34
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/17/2007 19:10:20
NETNT.DLL : 7.0.0.0 7720 Bytes 3/7/2007 23:09:44
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 00:38:14
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 00:50:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/22/2007 21:37:22
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Tuesday, 11 December 2007 18:02
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'MSOFFICE.EXE' - '1' Module(s) have been scanned
Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'HPLamp.exe' - '1' Module(s) have been scanned
Scan process 'POINT32.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'BRSS01A.EXE' - '1' Module(s) have been scanned
Scan process 'BRSVC01A.EXE' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( '27' files ).
Starting the file scan:
Begin scan in 'C:\' <SEAGATE80GB>
C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
C:\WINXP\system32\pmkjg.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
End of the scan: Tuesday, 11 December 2007 21:18
Used time: 3:16:23 min
The scan has been done completely.
3851 Scanning directories
458680 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
458679 Files not concerned
2229 Archives were scanned
2 Warnings
43 Notes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:36 p.m., on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brsvc01a.exe
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINXP\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7} - C:\WINXP\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINXP\system32\khfggfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78284C37-E13F-423B-8058-7CF1B64EA9FC} - C:\WINXP\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {AA1BC627-C2AE-4397-A3FE-3C4E394B3169} - C:\WINXP\system32\jkkjg.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O20 - Winlogon Notify: khfggfc - C:\WINXP\SYSTEM32\khfggfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5619 bytes
Hi,
* Download ComboFix from here.
**Save it to your desktop**
In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
QUOTE
I have regularly run PandaSoftware online virus scan in the past
Yes, but how is an online scanner supposed to prevent malware? An Antivirus is mainly needed to prevent malware. That's why everyone should have an Antivirus installed and it should be running in the background all the time..* Download ComboFix from here.
**Save it to your desktop**
In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Thanks for the help. However I have to report that Combofix has not done the job: directly after using Combofix, Avira found the following: Virus or unwanted program 'TR/Vundo.Gen [TR/Vundo.Gen]' detected in file 'C:\WINXP\system32\mljjg.dll. Action performed: Deny access
Here are the requested logs:
ComboFix 07-12-12.3 - Microsoft 2007-12-12 20:38:11.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINXP\system32\aybeg.ini
C:\WINXP\system32\aybeg.ini2
C:\WINXP\system32\gjkkj.ini
C:\WINXP\system32\gjkkj.ini2
C:\WINXP\system32\gjkmp.ini
C:\WINXP\system32\gjkmp.ini2
C:\WINXP\system32\jkklk.dll
C:\WINXP\system32\klkkj.ini
C:\WINXP\system32\klkkj.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.
2007-12-12 08:01 . 2007-12-12 08:01 29 --a------ C:\WINXP\system32\0e1a0a20
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-11 17:23 . 2007-12-11 17:23 314,624 --a------ C:\WINXP\system32\pmkjg.VIR
2007-12-10 23:05 . 2007-12-10 23:06 336,986,112 --a------ C:\1B9.tmp
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:59 . 2007-12-08 14:59 23,728 --a------ C:\WINXP\system32\khfggfc.dll
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
C:\WINXP\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2007-12-08 14:59 23728 --a------ C:\WINXP\system32\khfggfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78284C37-E13F-423B-8058-7CF1B64EA9FC}]
C:\WINXP\system32\gebya.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1BC627-C2AE-4397-A3FE-3C4E394B3169}]
C:\WINXP\system32\jkkjg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINXP\system32\khfggfc.dll [2007-12-08 14:59 23728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
khfggfc.dll 2007-12-08 14:59 23728 C:\WINXP\system32\khfggfc.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\jkklk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 20:43:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINXP\system32\winlogon.exe
-> C:\WINXP\system32\khfggfc.dll
PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.2180]
-> C:\WINXP\system32\khfggfc.dll
.
Completion time: 2007-12-12 20:44:33 - machine was rebooted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:33 p.m., on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7} - C:\WINXP\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINXP\system32\khfggfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78284C37-E13F-423B-8058-7CF1B64EA9FC} - C:\WINXP\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {AA1BC627-C2AE-4397-A3FE-3C4E394B3169} - C:\WINXP\system32\jkkjg.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O20 - Winlogon Notify: khfggfc - C:\WINXP\SYSTEM32\khfggfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5468 bytes
Here are the requested logs:
ComboFix 07-12-12.3 - Microsoft 2007-12-12 20:38:11.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINXP\system32\aybeg.ini
C:\WINXP\system32\aybeg.ini2
C:\WINXP\system32\gjkkj.ini
C:\WINXP\system32\gjkkj.ini2
C:\WINXP\system32\gjkmp.ini
C:\WINXP\system32\gjkmp.ini2
C:\WINXP\system32\jkklk.dll
C:\WINXP\system32\klkkj.ini
C:\WINXP\system32\klkkj.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.
2007-12-12 08:01 . 2007-12-12 08:01 29 --a------ C:\WINXP\system32\0e1a0a20
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-11 17:23 . 2007-12-11 17:23 314,624 --a------ C:\WINXP\system32\pmkjg.VIR
2007-12-10 23:05 . 2007-12-10 23:06 336,986,112 --a------ C:\1B9.tmp
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:59 . 2007-12-08 14:59 23,728 --a------ C:\WINXP\system32\khfggfc.dll
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
C:\WINXP\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2007-12-08 14:59 23728 --a------ C:\WINXP\system32\khfggfc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78284C37-E13F-423B-8058-7CF1B64EA9FC}]
C:\WINXP\system32\gebya.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1BC627-C2AE-4397-A3FE-3C4E394B3169}]
C:\WINXP\system32\jkkjg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINXP\system32\khfggfc.dll [2007-12-08 14:59 23728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
khfggfc.dll 2007-12-08 14:59 23728 C:\WINXP\system32\khfggfc.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\jkklk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 20:43:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINXP\system32\winlogon.exe
-> C:\WINXP\system32\khfggfc.dll
PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.2180]
-> C:\WINXP\system32\khfggfc.dll
.
Completion time: 2007-12-12 20:44:33 - machine was rebooted
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:33 p.m., on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7} - C:\WINXP\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINXP\system32\khfggfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78284C37-E13F-423B-8058-7CF1B64EA9FC} - C:\WINXP\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {AA1BC627-C2AE-4397-A3FE-3C4E394B3169} - C:\WINXP\system32\jkkjg.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O20 - Winlogon Notify: khfggfc - C:\WINXP\SYSTEM32\khfggfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5468 bytes
Hi,
Do next please..
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
QUOTE
However I have to report that Combofix has not done the job
Be patient. You can't expect that one single step will solve your problems. Combofix is mainly a diagnostic tool and the log it displays shows more info on what else we also need to remove.Do next please..
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
QUOTE
File::
C:\WINXP\system32e1a0a20
C:\WINXP\system32\pmkjg.VIR
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78284C37-E13F-423B-8058-7CF1B64EA9FC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1BC627-C2AE-4397-A3FE-3C4E394B3169}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
C:\WINXP\system32e1a0a20
C:\WINXP\system32\pmkjg.VIR
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78284C37-E13F-423B-8058-7CF1B64EA9FC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1BC627-C2AE-4397-A3FE-3C4E394B3169}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfggfc]
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Thanks! I did what you said but still no good. Every time I boot a new dll seems to appear in WinXP\system32. This is what Avira found after (and I think before) the Combofix operation:
Virus or unwanted program 'TR/Vundo.Gen [TR/Vundo.Gen]' detected in file 'C:\WINXP\system32\ssttr.dll. Action performed: Deny access
Here are the logs:
ComboFix 07-12-12.3 - Microsoft 2007-12-13 17:13:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Microsoft\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
C:\WINXP\system32\pmkjg.VIR
C:\WINXP\system32e1a0a20
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
C:\WINXP\system32\mljjg.dll
C:\WINXP\system32\pmkjg.VIR
C:\WINXP\system32\rttss.ini
C:\WINXP\system32\rttss.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-12 21:48 . 2007-12-12 21:48 314,624 --a------ C:\WINXP\system32\ssttr.dll
2007-12-12 08:01 . 2007-12-12 08:01 29 --a------ C:\WINXP\system32\0e1a0a20
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
C:\WINXP\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C982266B-F2E3-463C-BBA1-191FDDBF7A67}]
2007-12-12 21:48 314624 --a------ C:\WINXP\system32\ssttr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssttr.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 17:18:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.2180]
-> C:\WINXP\system32\ssttr.dll
.
Completion time: 2007-12-13 17:19:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-12 20:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:34 p.m., on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 4721 bytes
Virus or unwanted program 'TR/Vundo.Gen [TR/Vundo.Gen]' detected in file 'C:\WINXP\system32\ssttr.dll. Action performed: Deny access
Here are the logs:
ComboFix 07-12-12.3 - Microsoft 2007-12-13 17:13:33.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Microsoft\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
C:\WINXP\system32\pmkjg.VIR
C:\WINXP\system32e1a0a20
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1B9.tmp
C:\WINXP\system32\khfggfc.dll
C:\WINXP\system32\mljjg.dll
C:\WINXP\system32\pmkjg.VIR
C:\WINXP\system32\rttss.ini
C:\WINXP\system32\rttss.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-12 21:48 . 2007-12-12 21:48 314,624 --a------ C:\WINXP\system32\ssttr.dll
2007-12-12 08:01 . 2007-12-12 08:01 29 --a------ C:\WINXP\system32\0e1a0a20
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
C:\WINXP\system32\pmkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C982266B-F2E3-463C-BBA1-191FDDBF7A67}]
2007-12-12 21:48 314624 --a------ C:\WINXP\system32\ssttr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINXP\system32\ssttr.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 17:18:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINXP\Explorer.EXE [6.00.2900.2180]
-> C:\WINXP\system32\ssttr.dll
.
Completion time: 2007-12-13 17:19:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-12 20:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:34 p.m., on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 4721 bytes
Hi,
this is not uncommon, because it appears that new malware was already downloaded and installed in between before we performed the CFScript.
I suggest you disconnect from the internet as much as possible and only connect to read my instructions.
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
this is not uncommon, because it appears that new malware was already downloaded and installed in between before we performed the CFScript.
I suggest you disconnect from the internet as much as possible and only connect to read my instructions.
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
QUOTE
File::
C:\WINXP\system32\ssttr.dll
C:\WINXP\system32\0e1a0a20
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C982266B-F2E3-463C-BBA1-191FDDBF7A67}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
C:\WINXP\system32\ssttr.dll
C:\WINXP\system32\0e1a0a20
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DA9D924-EF3B-45E7-A649-BCE38CB7DFE7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C982266B-F2E3-463C-BBA1-191FDDBF7A67}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
After using Combofix, and while disconnected from internet as you suggested, I ran Avira and it found 12 files and deleted them:
AntiVir PersonalEdition Classic
Report file date: Thursday, 13 December 2007 19:33
Scanning for 971419 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: SEMPRON-ASUS
Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 01:16:30
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 00:23:52
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 03:32:48
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 00:35:22
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:55:16
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 04:55:16
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 04:55:16
ANTIVIR3.VDF : 7.0.1.81 215040 Bytes 12/12/2007 05:34:58
AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 12/11/2007 04:55:18
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/25/2007 22:36:28
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/17/2007 19:39:18
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 01:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/2/2007 20:46:02
AVREG.DLL : 7.0.1.6 30760 Bytes 7/17/2007 19:17:08
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 00:26:34
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/17/2007 19:10:20
NETNT.DLL : 7.0.0.0 7720 Bytes 3/7/2007 23:09:44
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 00:38:14
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 00:50:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/22/2007 21:37:22
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Thursday, 13 December 2007 19:33
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'MSOFFICE.EXE' - '1' Module(s) have been scanned
Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'SCHED.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'HPLamp.exe' - '1' Module(s) have been scanned
Scan process 'POINT32.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'BRSS01A.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( '26' files ).
Starting the file scan:
Begin scan in 'C:\' <SEAGATE80GB>
C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP6\A0000241.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP8\A0000263.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP10\A0001161.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP10\A0001165.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP12\A0001220.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\catchme2007-12-12_204256.40.zip
[0] Archive type: ZIP
--> jkklk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\catchme2007-12-13_192646.79.zip
[0] Archive type: ZIP
--> ssttr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\jkklk.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\mljjg.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\pmkjg.VIR.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\khfggfc.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\ssttr.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
End of the scan: Thursday, 13 December 2007 20:25
Used time: 51:59 min
The scan has been done completely.
3713 Scanning directories
389518 Files were scanned
12 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
12 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
389506 Files not concerned
1901 Archives were scanned
1 Warnings
43 Notes
I then rebooted, did another virus scan and the system seems clean. Lets keep fingers crossed! Here are the logs you requested:
ComboFix 07-12-12.3 - Microsoft 2007-12-13 19:23:18.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Microsoft\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINXP\system32\0e1a0a20
C:\WINXP\system32\ssttr.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINXP\system32\0e1a0a20
C:\WINXP\system32\ssttr.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-13 17:20 . 2007-12-13 19:22 8,928 --ahs---- C:\WINXP\system32\rttss.ini2
2007-12-13 17:18 . 2007-12-13 19:24 8,928 --ahs---- C:\WINXP\system32\rttss.ini
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 19:27:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-13 19:27:56 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-12 20:44
C:\ComboFix2.txt ... 2007-12-13 17:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:21 p.m., on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 4989 bytes
AntiVir PersonalEdition Classic
Report file date: Thursday, 13 December 2007 19:33
Scanning for 971419 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: SEMPRON-ASUS
Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 01:16:30
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 00:23:52
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 03:32:48
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 00:35:22
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:55:16
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 04:55:16
ANTIVIR2.VDF : 7.0.1.30 1575424 Bytes 11/30/2007 04:55:16
ANTIVIR3.VDF : 7.0.1.81 215040 Bytes 12/12/2007 05:34:58
AVEWIN32.DLL : 7.6.0.40 3064320 Bytes 12/11/2007 04:55:18
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/25/2007 22:36:28
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/17/2007 19:39:18
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 01:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/2/2007 20:46:02
AVREG.DLL : 7.0.1.6 30760 Bytes 7/17/2007 19:17:08
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 00:26:34
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/17/2007 19:10:20
NETNT.DLL : 7.0.0.0 7720 Bytes 3/7/2007 23:09:44
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 00:38:14
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 00:50:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/22/2007 21:37:22
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Thursday, 13 December 2007 19:33
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'MSOFFICE.EXE' - '1' Module(s) have been scanned
Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'SCHED.EXE' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'HPLamp.exe' - '1' Module(s) have been scanned
Scan process 'POINT32.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'BRSS01A.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( '26' files ).
Starting the file scan:
Begin scan in 'C:\' <SEAGATE80GB>
C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP6\A0000241.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP8\A0000263.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP10\A0001161.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP10\A0001165.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1B01FB0B-F1CF-4CD5-A1CE-A558A3D63189}\RP12\A0001220.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\catchme2007-12-12_204256.40.zip
[0] Archive type: ZIP
--> jkklk.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\catchme2007-12-13_192646.79.zip
[0] Archive type: ZIP
--> ssttr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\jkklk.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\mljjg.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\pmkjg.VIR.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\khfggfc.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINXP\system32\ssttr.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
End of the scan: Thursday, 13 December 2007 20:25
Used time: 51:59 min
The scan has been done completely.
3713 Scanning directories
389518 Files were scanned
12 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
12 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
389506 Files not concerned
1901 Archives were scanned
1 Warnings
43 Notes
I then rebooted, did another virus scan and the system seems clean. Lets keep fingers crossed! Here are the logs you requested:
ComboFix 07-12-12.3 - Microsoft 2007-12-13 19:23:18.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.163 [GMT 13:00]
Running from: C:\Documents and Settings\Microsoft\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Microsoft\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINXP\system32\0e1a0a20
C:\WINXP\system32\ssttr.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINXP\system32\0e1a0a20
C:\WINXP\system32\ssttr.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-13 17:20 . 2007-12-13 19:22 8,928 --ahs---- C:\WINXP\system32\rttss.ini2
2007-12-13 17:18 . 2007-12-13 19:24 8,928 --ahs---- C:\WINXP\system32\rttss.ini
2007-12-11 17:51 . 2007-12-11 17:51 <DIR> d-------- C:\Program Files\Avira
2007-12-10 21:25 . 2007-12-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-09 21:58 . 2007-12-09 21:58 <DIR> d-------- C:\WINXP\McAfee.com
2007-12-09 19:23 . 2007-09-24 23:31 69,632 --a------ C:\WINXP\system32\javacpl.cpl
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 12:43 . 2007-12-09 12:43 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\PC Tools
2007-12-09 12:43 . 2005-09-23 08:29 626,688 --a------ C:\WINXP\system32\msvcr80.dll
2007-12-09 12:43 . 2007-10-18 00:16 79,688 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2007-12-09 12:43 . 2007-10-18 00:15 62,280 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2007-12-09 12:43 . 2007-10-18 00:14 41,288 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2007-12-09 12:43 . 2007-10-18 00:16 29,000 --a------ C:\WINXP\system32\drivers\kcom.sys
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 10:15 . 2007-12-09 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-08 22:38 . 2007-12-08 22:38 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Lavasoft
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\Microsoft\Application Data\Azureus
2007-12-08 14:39 . 2007-12-08 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-08 14:38 . 2007-12-08 14:38 <DIR> d-------- C:\Program Files\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 09:20 16,016 ----a-w C:\Documents and Settings\Microsoft\Application Data\GDIPFONTCACHEV1.DAT
2006-01-25 04:11 266 --sh--w C:\Program Files\desktop.ini
2006-01-25 04:11 11,079 ---h--w C:\Program Files\folder.htt
2004-03-11 00:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\ctfmon.exe" [2004-08-04 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINXP\system32\rundll32.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-11 17:55]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINXP\system32\CTFMON.EXE" [2004-08-04 12:00]
C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-09-12 13:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINXP\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=C:\WINXP\pss\Internet Explorer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Outlook Express.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Outlook Express.lnk
backup=C:\WINXP\pss\Outlook Express.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Microsoft^Start Menu^Programs^Startup^Palm Desktop.lnk]
path=C:\Documents and Settings\Microsoft\Start Menu\Programs\Startup\Palm Desktop.lnk
backup=C:\WINXP\pss\Palm Desktop.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-11-14 18:25 363008 -ra------ C:\Program Files\ASUS\AASP\1.00.17\AsRunHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-23 18:05 143360 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-11-10 16:19 1051648 --a------ C:\Program Files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2007-11-02 17:24 1065800 --a------ C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 19:27:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-13 19:27:56 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-12 20:44
C:\ComboFix2.txt ... 2007-12-13 17:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:21 p.m., on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\brss01a.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...181/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINXP\system32\brsvc01a.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 4989 bytes
Hi,
As far as I can see, the infection is gone now. Just two files you have to delete manually.
They are hidden, so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Then navigate to and delete the following files:
C:\WINXP\system32\rttss.ini2
C:\WINXP\system32\rttss.ini
Then, * Clean your Cache and Cookies in IE:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
As far as I can see, the infection is gone now. Just two files you have to delete manually.
They are hidden, so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Then navigate to and delete the following files:
C:\WINXP\system32\rttss.ini2
C:\WINXP\system32\rttss.ini
Then, * Clean your Cache and Cookies in IE:
- Close all instances of Outlook Express and Internet Explorer
- Go to Control Panel > Internet Options > General tab
- Under Browsing History, click "Delete".
- Click "Delete Files", "Delete cookies" and "Delete history"
- Click Close below.
- Go to Tools > Options.
- Click Privacy in the menu..
- Click the Clear now button below.. A new window will popup what to clear.
- Select all and click the Clear button again.
- Click OK to close the Options window
- Go to start > run and type: cleanmgr and click ok.
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Press OK to remove them.
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
Thanks a million. System seems clean now. Avira & Ad-Aware report nothing found.
MartinB
MartinB
Glad I could help. 
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Happy Surfing again!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.
Everyone else please begin a New Topic.
Thank you !
If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.
Everyone else please begin a New Topic.
Thank you !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.