Please Advise - Everything Started With Xp Antivirus 2008

Hi guys,


This is my log, and the sympthoms are as follows:


1. the red biohazard screen with the "Your privvacy is in danger" - this might be associated with O24 (down below) - even if I check fix-it it will come back;


2. IE hijacked;


3. taskmgr, regedit and screen properties "disabled by the administrator"


4. system partition not visible in My computer (though, if I type in windows explorer c:\, it works!)


5. DVD dissapeared


I'm running XP SP2, installed around 1 year ago. I'm "protected" by Bitdefender AV 2008 (installed 2 months ago), and the trouble started when XP Antivirus 2008 (4 months old virus) appeared on my PC without being detected by my AV 2-3 days ago.


In the first day, I had the possibility to manually edit the registries and get rid (also manually) of XPA.exe. But the stuff that came with it, it is still resident.


Thanks for any help!


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 17:33: VIRUS ALERT!, on 6/29/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.5730.0013)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\ctfmon.exe


C:\WINDOWS\system32\RUNDLL32.EXE


C:\WINDOWS\RTHDCPL.EXE


C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


C:\Program Files\Bonjour\mDNSResponder.exe


C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe


C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


C:\WINDOWS\system32\nvsvc32.exe


C:\Program Files\CyberLink\Shared files\RichVideo.exe


C:\Program Files\Logitech\SetPoint\SetPoint.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\Temp\WdfTemp\Microsoft Kernel-Mode Driver Framework Install-v1.5-WinXP.exe


e:\34bfa5dfdcf2e9bc829166e90a\update\update.exe


C:\WINDOWS\system32\wuauclt.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


O2 - BHO: QXK Olive - {2D5C76A5-703E-454A-9143-4C5353CA43F5} - C:\WINDOWS\ksendlbtlgs.dll


O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe


O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html


O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html


O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL


O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL


O21 - SSODL: xvorfwbd - {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll


O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe


O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe


O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe


O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe


O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


--


End of file - 8713 bytes

Comments

  • rootkit
    rootkit ✭✭✭

    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here.

  • Hello thunderer,


    In addition what crysty2k5 asked you. Please download also smitfraudfix. Save it at your desktop. Double click on it select 1 and press enter to create a scan report. Normally you will find it at the root of your hard disk in other words click on start,my computer there you should find rapport. Post the scan report at your next post.


    Kind regards,


    Niels

  • Hi Guys


    Here are the logs as requested


    COMBOFIX


    ComboFix 08-06-20.4 - Usual 2008-06-30 13:03:08.1 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1563 [GMT -7:00]


    Running from: C:\Documents and Settings\Usual\Desktop\BIT\Support\ComboFix.exe


    * Created a new restore point


    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\Usual\Application Data\inst.exe


    C:\WINDOWS\ksendlbtlgs.dll


    C:\WINDOWS\privacy_danger


    C:\WINDOWS\privacy_danger\images\capt.gif


    C:\WINDOWS\privacy_danger\images\danger.jpg


    C:\WINDOWS\privacy_danger\images\down.gif


    C:\WINDOWS\privacy_danger\images\spacer.gif


    C:\WINDOWS\privacy_danger\index.htm


    C:\WINDOWS\wpvmqosg.dll


    C:\WINDOWS\xvorfwbd.dll


    .


    ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))


    .


    2008-06-29 17:20 . 2008-06-29 17:20 <DIR> d-------- C:\Program Files\Trend Micro


    2008-06-28 14:26 . 2008-06-28 14:27 250 --a------ C:\WINDOWS\gmer.ini


    2008-06-26 21:38 . 2008-06-26 21:38 <DIR> d-------- C:\Program Files\Panda Security


    2008-06-26 21:07 . 2008-06-26 21:08 <DIR> d-------- C:\Program Files\Common Files\PC Tools


    2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PC Tools


    2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools


    2008-06-26 21:07 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys


    2008-06-22 18:26 . 2008-06-26 20:58 <DIR> d-------- C:\Program Files\RogueRemover FREE


    2008-06-22 17:45 . 2008-06-22 17:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$


    2008-06-22 17:41 . 2008-06-22 17:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender


    2008-06-22 13:45 . 2008-06-22 13:45 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp


    2008-06-22 11:20 . 2008-06-22 11:20 <DIR> d-------- C:\Documents and Settings\Usual\RescuePRO


    2008-06-22 11:13 . 2008-06-22 17:13 <DIR> d-------- C:\Program Files\RescuePRO Deluxe


    2008-06-22 11:08 . 2008-06-22 04:04 81,920 --a------ C:\WINDOWS\neltabxw.exe


    2008-06-17 18:44 . 2008-06-17 19:10 <DIR> d-------- C:\Program Files\Photo Collage Creator


    2008-06-16 21:19 . 2008-06-16 21:19 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Thinstall


    2008-06-10 19:33 . 2008-06-10 19:33 <DIR> d-------- C:\temps


    2008-06-07 10:20 . 2008-06-07 10:20 51,712 --a------ C:\WINDOWS\wc98pp.dll


    2008-06-06 21:46 . 2008-06-06 21:46 <DIR> d-------- C:\Program Files\FireFly Studios


    2008-06-02 20:38 . 2008-06-02 20:46 <DIR> d-------- C:\Program Files\Backgammon Classic 4


    2008-06-02 20:32 . 2008-06-02 20:32 128 --ah----- C:\Documents and Settings\Usual\microsoft.dat


    2008-05-25 18:43 . 2008-05-25 18:43 <DIR> d-------- C:\Program Files\GSpot


    2008-05-25 18:30 . 2004-08-03 16:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll


    2008-05-25 18:28 . 2008-06-21 14:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


    2008-05-19 16:31 . 2008-05-19 16:31 <DIR> d-------- C:\Program Files\TrafficCounter


    2008-05-17 12:55 . 2008-06-18 19:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn


    2008-05-17 12:55 . 2008-05-17 12:55 1,409 --a------ C:\WINDOWS\QTFont.for


    2008-05-12 18:53 . 2008-05-12 18:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll


    2008-05-12 18:53 . 2008-05-12 18:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe


    2008-05-12 18:53 . 2008-05-12 18:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb


    2008-05-12 18:51 . 2008-05-12 18:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll


    2008-05-12 18:51 . 2008-05-12 18:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll


    2008-05-12 18:49 . 2008-05-12 18:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax


    2008-05-12 18:49 . 2008-05-12 18:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe


    2008-05-12 18:49 . 2008-05-12 18:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


    2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\BitDefender


    2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Bitdefender


    2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-05-11 16:33 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\Common Files\BitDefender


    2008-05-11 15:42 . 2008-05-11 15:42 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\ESET


    2008-05-08 20:28 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg


    2008-05-08 20:18 . 2008-05-11 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-06-28 03:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP


    2008-06-28 03:57 --------- d-----w C:\Program Files\Spyware Doctor


    2008-06-23 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet


    2008-06-07 04:46 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-05-26 01:47 --------- d-----w C:\Program Files\DivX


    2008-05-26 01:35 --------- d-----w C:\Program Files\ffdshow


    2008-05-26 01:30 --------- d-----w C:\Program Files\Windows Media Connect 2


    2008-05-25 02:58 --------- d-----w C:\Documents and Settings\Usual\Application Data\Vso


    2008-05-24 17:55 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll


    2008-05-19 22:57 --------- d-----w C:\Program Files\CommTraffic


    2007-08-12 02:29 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll


    2007-06-16 23:45 47,360 ----a-w C:\Documents and Settings\Usual\Application Data\pcouffin.sys


    2007-06-16 23:43 81,920 ----a-w C:\Documents and Settings\Usual\Application Data\ezpinst.exe


    2006-06-23 14:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-13 11:43 81920]


    "RTHDCPL"="RTHDCPL.EXE" [2007-03-20 23:49 16126464 C:\WINDOWS\RTHDCPL.exe]


    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-13 11:42 8425472]


    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 14:24 360448]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    "<NO NAME>"="" []


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 16:56 15360]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-22 19:30:37 692224]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]


    "xvorfwbd"= {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll [ ]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL


    "LoadAppInit_Dlls"=-1 (0xffffffff)


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "msvideo7"= STV680tg.dll


    "msacm.ac3filter"= ac3filter.acm


    "msacm.avis"= ff_acm.acm


    "vidc.xvid"= xvid.dll


    "msacm.mpegacm"= mpegacm.acm


    "msacm.ulmp3acm"= ulmp3acm.acm


    "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]


    @=""


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk


    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^Usual^Start Menu^Programs^Startup^Traffic Counter.lnk]


    path=C:\Documents and Settings\Usual\Start Menu\Programs\Startup\Traffic Counter.lnk


    backup=C:\WINDOWS\pss\Traffic Counter.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]


    --a------ 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]


    --a------ 2008-02-24 20:12 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]


    --a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]


    --a------ 2007-10-09 15:46 61440 C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D_V_T]


    C:\\dvt.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]


    --a------ 2006-03-20 17:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]


    C:\WINDOWS\system32\dumprep 0 -k


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]


    --a------ 2006-05-18 11:29 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]


    --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


    --a------ 2007-03-13 11:42 8425472 C:\WINDOWS\system32\NvCpl.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]


    --a------ 2007-03-13 11:43 1622016 C:\WINDOWS\system32\nwiz.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]


    --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]


    --------- 2005-12-07 22:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]


    C:\Program Files\Spyware Doctor\SDTrayApp.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]


    -ra------ 2007-06-08 15:18 23233576 C:\Program Files\Skype\Phone\Skype.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]


    --a------ 2008-01-23 16:47 847872 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]


    --a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]


    --a------ 2008-04-18 14:30 3628080 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "UpdatesDisableNotify"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=


    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=


    "E:\\Gamez\\Age of Empires III\\age3x.exe"=


    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=


    "E:\\Gamez\\Age of Empires III\\age3y.exe"=


    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=


    R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]


    R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]


    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-14 23:12]


    S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    *Newly Created Service* - 2F306EAD


    *Newly Created Service* - 40E4DE43


    *Newly Created Service* - CATCHME


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-06-13 23:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-06-30 13:05:52


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-06-30 13:07:21


    ComboFix-quarantined-files.txt 2008-06-30 20:06:51


    Pre-Run: 56,630,915,072 bytes free


    Post-Run: 56,664,055,808 bytes free


    200


    ________________________________________________________________________________


    _____________________________________________


    and the SmitFraudFix rapport


    SmitFraudFix v2.328


    Scan done at 13:09:38.34, Mon 06/30/2008


    Run from C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix


    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT


    The filesystem type is NTFS


    Fix run in normal mode


    »»»»»»»»»»»»»»»»»»»»»»»» Process


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\RTHDCPL.EXE


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Logitech\SetPoint\SetPoint.exe


    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\CyberLink\Shared files\RichVideo.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\NOTEPAD.EXE


    C:\WINDOWS\system32\notepad.exe


    C:\WINDOWS\explorer.exe


    C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix\Policies.exe


    C:\WINDOWS\system32\cmd.exe


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    hosts file corrupted !


    127.0.0.1 hk.digitaltrends.com


    127.0.0.1 microsoft.com.org


    127.0.0.1 www.www.microsoft.com.org


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    C:\WINDOWS\neltabxw.exe FOUND !


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Usual\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]


    "Source"="About:Home"


    "SubscribedURL"="About:Home"


    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix


    !!!Attention, following keys are not inevitably infected!!!


    IEDFix


    Credits: Malware Analysis & Diagnostic


    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix


    !!!Attention, following keys are not inevitably infected!!!


    VACFix


    Credits: Malware Analysis & Diagnostic


    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix


    !!!Attention, following keys are not inevitably infected!!!


    404Fix


    Credits: Malware Analysis & Diagnostic


    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler


    !!!Attention, following keys are not inevitably infected!!!


    SrchSTS.exe by S!Ri


    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs


    !!!Attention, following keys are not inevitably infected!!!


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


    "AppInit_DLLs"="C:\\PROGRA~1\\DVDXST~1\\DVDXUT~1.6\\DVDGhost\\DVDGHO~1.DLL"


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon


    !!!Attention, following keys are not inevitably infected!!!


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock


    »»»»»»»»»»»»»»»»»»»»»»»» DNS


    Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport


    DNS Server Search Order: 192.168.2.1


    DNS Server Search Order: 192.168.2.1


    HKLM\SYSTEM\CCS\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1


    HKLM\SYSTEM\CS1\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1


    HKLM\SYSTEM\CS2\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1


    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End


    It looks better. No IE hijack, I have back my partitions... I'll run a Bitdefender 2008 Deep Scan and let you know if something new or old is still there.


    THANKS TO BOTH OF YOU! (I'm not screaming, just happier...)


    Mircea

  • rootkit
    rootkit ✭✭✭
    edited July 2008

    Enable Regedit: http://www.dougknox.com/security/scripts_desc/regtools.htm


    Enable Task Manager: http://windowsxp.mvps.org/reg/EnableTM.reg


    After this, run a full scan with SUPERAntispyware and Malwarebytes' Anti-Malware.


    Try not to use IE (for security reasons)


    Use Firefox/Opera ;)

  • thunderer
    edited July 2008
    Enable Regedit: http://www.dougknox.com/security/scripts_desc/regtools.htm


    Enable Task Manager: http://windowsxp.mvps.org/reg/EnableTM.reg


    After this, run a full scan with SUPERAntispyware and Malwarebytes' Anti-Malware.


    Try not to use IE (for security reasons)


    Use Firefox/Opera ;)


    Here is the result of the AV scan


    Overall scan summaryScanned items : 626744


    Infected items : 0


    Suspicious items : 0


    Resolved items : 0


    Individual viruses found : 0


    Scanned directories : 14035


    Scanned boot sectors : 6


    Scanned archives : 27243


    Input-output errors : 25


    Scan time : 00:01:31:37


    Files per second : 113


    Regedit & taskmgr & msconfig are OK. The desktop is not anymore hijacked. I saw that the combofix removed some dlls. Usually, if I "smell" something strange in the taskmgr, I google for the process name and shut down it asap. But not always it is so obvious <img class=" /> .


    I'll try the SUPERAntispyware and Malwarebytes' Anti-Malware.


    I'm a FF fan for some time, but my wife is using IE :rolleyes:. And if the AV pops-up with some question about some registry or running process, she's completely lost...


    Mircea

  • Hello thunderer,


    I see also an entry to Panda I assume that you tried there online scanner. If so that couldn't cause any conflicts.


    I could still find some leftovers in the combofix report:


    C:\WINDOWS\system32\ieupdates.exe.tmp


    C:\WINDOWS\wc98pp.dll


    But first post a scan report off Superantispyware and malwarebytes anti-malware.


    Please reboot your pc into safe mode. To do that press several times on the F8 button before the windows splash screen select safe mode press enter. Log in with the account where you have save smitfraudfix. Select option 2 clean by typing 2 and press enter. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; type y press enter.


    One warning if you have set a wallpaper that could be reset by smitfraudfix but you can set the wallpaper afterwards.


    Please post the new rapport.txt at your next reply.


    Kind regards,


    Niels

  • ...


    Hi Niels,


    Yes I've ran the online scanner from Panda. It found nothing and proposed me to switch to Panda products :wacko:


    I got some few things found by scanning with Superantispyware and malwarebytes anti-malware, most of them tracking stuff...


    As requested, please see attached the rapport (it was way too long to post it in text).


    Thanks for taking the time to look over it.


    Mircea


    PS: sorry for my late answer, it was Canada's day yesterday so I was out in the country, plus today I started to work so I got less free time.


    /applications/core/interface/file/attachment.php?id=2369" data-fileid="2369" rel="">rapport02008_07_02.txt

  • Hello thunderer,


    Can you please archive the following files


    ieupdates.exe.tmp


    wc98pp.dll


    To do see this topic.


    You need to make a new topic in this forum section. How to upload attachments is the same.


    Click on start,my computer and open QooBox folder,Quarantine,open the windows folder and archive also


    inst.exe and the rest off the found files that are renamed to .vir. You need to remove the .vir entry now archive them. Also upload it to a topic.


    Post also the scan result off superantispyware and malwarebytes anti-malware.


    Kind regards,


    Niels

  • Hello thunderer,


    Can you please post a new hijack this and combofix logfile?


    Kind regards,


    Niels

  • Hello thunderer,


    I can't find anything suspecious anymore. Do you still have problems?


    I recommend that you update BitDefender and perform a deep scan.


    Kind regards,


    Niels

  • Hello thunderer,


    I can't find anything suspecious anymore. Do you still have problems?


    I recommend that you update BitDefender and perform a deep scan.


    Kind regards,


    Niels


    it looks fine for me also. no further problems. Bitdefender is updated (or looking for updates) few times a day, as the PC is on.


    thanks for help.


    mircea