Please Advise - Everything Started With Xp Antivirus 2008
Hi guys,
This is my log, and the sympthoms are as follows:
1. the red biohazard screen with the "Your privvacy is in danger" - this might be associated with O24 (down below) - even if I check fix-it it will come back;
2. IE hijacked;
3. taskmgr, regedit and screen properties "disabled by the administrator"
4. system partition not visible in My computer (though, if I type in windows explorer c:\, it works!)
5. DVD dissapeared
I'm running XP SP2, installed around 1 year ago. I'm "protected" by Bitdefender AV 2008 (installed 2 months ago), and the trouble started when XP Antivirus 2008 (4 months old virus) appeared on my PC without being detected by my AV 2-3 days ago.
In the first day, I had the possibility to manually edit the registries and get rid (also manually) of XPA.exe. But the stuff that came with it, it is still resident.
Thanks for any help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33: VIRUS ALERT!, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Temp\WdfTemp\Microsoft Kernel-Mode Driver Framework Install-v1.5-WinXP.exe
e:\34bfa5dfdcf2e9bc829166e90a\update\update.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: QXK Olive - {2D5C76A5-703E-454A-9143-4C5353CA43F5} - C:\WINDOWS\ksendlbtlgs.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL
O21 - SSODL: xvorfwbd - {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 8713 bytes
Comments
-
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.
It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.
At the end ComboFix will generate a log file. Save it and post it here.0 -
Hello thunderer,
In addition what crysty2k5 asked you. Please download also smitfraudfix. Save it at your desktop. Double click on it select 1 and press enter to create a scan report. Normally you will find it at the root of your hard disk in other words click on start,my computer there you should find rapport. Post the scan report at your next post.
Kind regards,
Niels0 -
Hi Guys
Here are the logs as requested
COMBOFIX
ComboFix 08-06-20.4 - Usual 2008-06-30 13:03:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1563 [GMT -7:00]
Running from: C:\Documents and Settings\Usual\Desktop\BIT\Support\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Usual\Application Data\inst.exe
C:\WINDOWS\ksendlbtlgs.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\wpvmqosg.dll
C:\WINDOWS\xvorfwbd.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.
2008-06-29 17:20 . 2008-06-29 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-28 14:26 . 2008-06-28 14:27 250 --a------ C:\WINDOWS\gmer.ini
2008-06-26 21:38 . 2008-06-26 21:38 <DIR> d-------- C:\Program Files\Panda Security
2008-06-26 21:07 . 2008-06-26 21:08 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PC Tools
2008-06-26 21:07 . 2008-06-26 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-26 21:07 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-22 18:26 . 2008-06-26 20:58 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-06-22 17:45 . 2008-06-22 17:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-22 17:41 . 2008-06-22 17:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender
2008-06-22 13:45 . 2008-06-22 13:45 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp
2008-06-22 11:20 . 2008-06-22 11:20 <DIR> d-------- C:\Documents and Settings\Usual\RescuePRO
2008-06-22 11:13 . 2008-06-22 17:13 <DIR> d-------- C:\Program Files\RescuePRO Deluxe
2008-06-22 11:08 . 2008-06-22 04:04 81,920 --a------ C:\WINDOWS\neltabxw.exe
2008-06-17 18:44 . 2008-06-17 19:10 <DIR> d-------- C:\Program Files\Photo Collage Creator
2008-06-16 21:19 . 2008-06-16 21:19 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Thinstall
2008-06-10 19:33 . 2008-06-10 19:33 <DIR> d-------- C:\temps
2008-06-07 10:20 . 2008-06-07 10:20 51,712 --a------ C:\WINDOWS\wc98pp.dll
2008-06-06 21:46 . 2008-06-06 21:46 <DIR> d-------- C:\Program Files\FireFly Studios
2008-06-02 20:38 . 2008-06-02 20:46 <DIR> d-------- C:\Program Files\Backgammon Classic 4
2008-06-02 20:32 . 2008-06-02 20:32 128 --ah----- C:\Documents and Settings\Usual\microsoft.dat
2008-05-25 18:43 . 2008-05-25 18:43 <DIR> d-------- C:\Program Files\GSpot
2008-05-25 18:30 . 2004-08-03 16:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-25 18:28 . 2008-06-21 14:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-19 16:31 . 2008-05-19 16:31 <DIR> d-------- C:\Program Files\TrafficCounter
2008-05-17 12:55 . 2008-06-18 19:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 12:55 . 2008-05-17 12:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 18:53 . 2008-05-12 18:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 18:53 . 2008-05-12 18:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 18:53 . 2008-05-12 18:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 18:51 . 2008-05-12 18:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 18:51 . 2008-05-12 18:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 18:49 . 2008-05-12 18:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-12 18:49 . 2008-05-12 18:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 18:49 . 2008-05-12 18:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\BitDefender
2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\Bitdefender
2008-05-11 16:34 . 2008-05-11 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-05-11 16:33 . 2008-05-11 16:34 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-11 15:42 . 2008-05-11 15:42 <DIR> d-------- C:\Documents and Settings\Usual\Application Data\ESET
2008-05-08 20:28 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-08 20:18 . 2008-05-11 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 03:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 03:57 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-23 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-07 04:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 01:47 --------- d-----w C:\Program Files\DivX
2008-05-26 01:35 --------- d-----w C:\Program Files\ffdshow
2008-05-26 01:30 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-25 02:58 --------- d-----w C:\Documents and Settings\Usual\Application Data\Vso
2008-05-24 17:55 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-05-19 22:57 --------- d-----w C:\Program Files\CommTraffic
2007-08-12 02:29 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2007-06-16 23:45 47,360 ----a-w C:\Documents and Settings\Usual\Application Data\pcouffin.sys
2007-06-16 23:43 81,920 ----a-w C:\Documents and Settings\Usual\Application Data\ezpinst.exe
2006-06-23 14:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-13 11:43 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-20 23:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-13 11:42 8425472]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 14:24 360448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 16:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-22 19:30:37 692224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"= {60026B58-C9EA-40F4-A780-746CB50601CB} - C:\WINDOWS\xvorfwbd.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\DVDXST~1\DVDXUT~1.6\DVDGhost\DVDGHO~1.DLL
"LoadAppInit_Dlls"=-1 (0xffffffff)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm
"vidc.xvid"= xvid.dll
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Usual^Start Menu^Programs^Startup^Traffic Counter.lnk]
path=C:\Documents and Settings\Usual\Start Menu\Programs\Startup\Traffic Counter.lnk
backup=C:\WINDOWS\pss\Traffic Counter.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-02-24 20:12 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
C:\Program Files\Softwin\BitDefender10\bdagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]
--a------ 2007-10-09 15:46 61440 C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D_V_T]
C:\\dvt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-05-18 11:29 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-13 11:42 8425472 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-13 11:43 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
C:\Program Files\Spyware Doctor\SDTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-06-08 15:18 23233576 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 16:47 847872 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-18 14:30 3628080 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\Gamez\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"E:\\Gamez\\Age of Empires III\\age3y.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-14 23:12]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
*Newly Created Service* - 2F306EAD
*Newly Created Service* - 40E4DE43
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 23:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 13:05:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-30 13:07:21
ComboFix-quarantined-files.txt 2008-06-30 20:06:51
Pre-Run: 56,630,915,072 bytes free
Post-Run: 56,664,055,808 bytes free
200
________________________________________________________________________________
_____________________________________________
and the SmitFraudFix rapport
SmitFraudFix v2.328
Scan done at 13:09:38.34, Mon 06/30/2008
Run from C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Usual\Desktop\BIT\Support\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 hk.digitaltrends.com
127.0.0.1 microsoft.com.org
127.0.0.1 www.www.microsoft.com.org
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\neltabxw.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Usual\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Usual\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\DVDXST~1\\DVDXUT~1.6\\DVDGhost\\DVDGHO~1.DLL"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D3491B1F-7830-4037-B5F9-67E4E1F1FE4F}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
It looks better. No IE hijack, I have back my partitions... I'll run a Bitdefender 2008 Deep Scan and let you know if something new or old is still there.
THANKS TO BOTH OF YOU! (I'm not screaming, just happier...)
Mircea0 -
Enable Regedit: http://www.dougknox.com/security/scripts_desc/regtools.htm
Enable Task Manager: http://windowsxp.mvps.org/reg/EnableTM.reg
After this, run a full scan with SUPERAntispyware and Malwarebytes' Anti-Malware.
Try not to use IE (for security reasons)
Use Firefox/Opera
0 -
Enable Regedit: http://www.dougknox.com/security/scripts_desc/regtools.htm
Enable Task Manager: http://windowsxp.mvps.org/reg/EnableTM.reg
After this, run a full scan with SUPERAntispyware and Malwarebytes' Anti-Malware.
Try not to use IE (for security reasons)
Use Firefox/Opera
Here is the result of the AV scan
Overall scan summaryScanned items : 626744
Infected items : 0
Suspicious items : 0
Resolved items : 0
Individual viruses found : 0
Scanned directories : 14035
Scanned boot sectors : 6
Scanned archives : 27243
Input-output errors : 25
Scan time : 00:01:31:37
Files per second : 113
Regedit & taskmgr & msconfig are OK. The desktop is not anymore hijacked. I saw that the combofix removed some dlls. Usually, if I "smell" something strange in the taskmgr, I google for the process name and shut down it asap. But not always it is so obvious
" /> .
I'll try the SUPERAntispyware and Malwarebytes' Anti-Malware.
I'm a FF fan for some time, but my wife is using IE
. And if the AV pops-up with some question about some registry or running process, she's completely lost...
Mircea0 -
Hello thunderer,
I see also an entry to Panda I assume that you tried there online scanner. If so that couldn't cause any conflicts.
I could still find some leftovers in the combofix report:
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\wc98pp.dll
But first post a scan report off Superantispyware and malwarebytes anti-malware.
Please reboot your pc into safe mode. To do that press several times on the F8 button before the windows splash screen select safe mode press enter. Log in with the account where you have save smitfraudfix. Select option 2 clean by typing 2 and press enter. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; type y press enter.
One warning if you have set a wallpaper that could be reset by smitfraudfix but you can set the wallpaper afterwards.
Please post the new rapport.txt at your next reply.
Kind regards,
Niels0 -
...
Hi Niels,
Yes I've ran the online scanner from Panda. It found nothing and proposed me to switch to Panda products
I got some few things found by scanning with Superantispyware and malwarebytes anti-malware, most of them tracking stuff...
As requested, please see attached the rapport (it was way too long to post it in text).
Thanks for taking the time to look over it.
Mircea
PS: sorry for my late answer, it was Canada's day yesterday so I was out in the country, plus today I started to work so I got less free time.0 -
Hello thunderer,
Can you please archive the following files
ieupdates.exe.tmp
wc98pp.dll
To do see this topic.
You need to make a new topic in this forum section. How to upload attachments is the same.
Click on start,my computer and open QooBox folder,Quarantine,open the windows folder and archive also
inst.exe and the rest off the found files that are renamed to .vir. You need to remove the .vir entry now archive them. Also upload it to a topic.
Post also the scan result off superantispyware and malwarebytes anti-malware.
Kind regards,
Niels0 -
Post also the scan result off superantispyware and malwarebytes anti-malware.
....
as requested the scan results
i'll upload the other files on the forum section indicated
Thanks,
Mircea0 -
Hello thunderer,
Can you please post a new hijack this and combofix logfile?
Kind regards,
Niels0 -
Hello thunderer,
I can't find anything suspecious anymore. Do you still have problems?
I recommend that you update BitDefender and perform a deep scan.
Kind regards,
Niels0 -
Hello thunderer,
I can't find anything suspecious anymore. Do you still have problems?
I recommend that you update BitDefender and perform a deep scan.
Kind regards,
Niels
it looks fine for me also. no further problems. Bitdefender is updated (or looking for updates) few times a day, as the PC is on.
thanks for help.
mircea0
