Generic.malware Cannot Be Deleted

limweineng
edited October 2008 in Logs analysis

Hi, i think my com has been infected with malware that cannot be deleted as "no action was possible".


I have been receiving pop-ups too telling me to dload internet security 2009, but i cancelled them ^^


The infected files are C:\WINDOWS\service.exe (memory dump) and C:\WINDOWS\service.exe (full dump). However, i can't seem to find it .


I have uploaded my scan log after a deep system scan.


Thanks!

/applications/core/interface/file/attachment.php?id=3601" data-fileid="3601" rel="">1224405875_1_02.xml

Comments

  • I've also used Hijackthis to so a system scan and below is the log:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 5:02:30 PM, on 10/19/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\RTHDCPL.EXE


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe


    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe


    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe


    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\vsnpstd3.exe


    C:\Program Files\Common Files\Real\Update_OB\realsched.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\service.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe


    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\IoctlSvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"


    O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti


    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"


    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe


    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"


    O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe


    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


    O4 - HKLM\..\Run: [Messenger Service] service.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background


    O4 - Global Startup: BlueSoleil.lnk = ?


    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217665387281


    O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://mjc7.asknlearn.com/databank/ims/{30...s/acuviewer.cab


    O20 - AppInit_DLLs: gpkuqx.dll


    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7111 bytes

  • rootkit
    rootkit ✭✭✭
    edited October 2008

    Unplugg your network cable.


    Disable BitDefender's shield.


    Check and press Fix checked in Hijackthis for:



    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    O20 - AppInit_DLLs: gpkuqx.dll


    Download: http://subs.geekstogo.com/ComboFix.exe and save it on your Desktop.


    Open Notepad and copy/paste the text in the quotebox below into it:


    File::


    C:\WINDOWS\service.exe


    Save this as:


    CFScript.txt


    Drag CFScript.txt into ComboFix.exe


    CFScript.gif


    Plug in your network cable. Activate BitDefender's shield.


    Then post the resultant log here.

  • ok thanks!!! I'll try now.

  • This is ComboFix's log report:


    ComboFix 08-10-18.03 - Owner 2008-10-19 23:00:34.1 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1554 [GMT 8:00]


    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    FILE ::


    C:\WINDOWS\service.exe


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\WINDOWS\admintxt.txt


    C:\WINDOWS\service.exe


    C:\WINDOWS\system32\bcihvsia.ini


    C:\WINDOWS\system32\ejqubxit.exe


    C:\WINDOWS\system32\gefbmkxt.ini


    C:\WINDOWS\system32\gwlqudbw.exe


    C:\WINDOWS\system32\ievdritg.ini


    C:\WINDOWS\system32\jbgdhure.exe


    C:\WINDOWS\system32\jelauffv.ini


    C:\WINDOWS\system32\yJQrAyxx.ini


    C:\WINDOWS\system32\yJQrAyxx.ini2


    .


    ((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))


    .


    2008-10-19 17:01 . 2008-10-19 17:01 <DIR> d-------- C:\Program Files\Trend Micro


    2008-10-19 15:30 . 2008-10-19 15:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware


    2008-10-19 15:30 . 2008-10-19 15:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com


    2008-10-19 15:30 . 2008-10-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com


    2008-10-19 09:51 . 2008-10-19 09:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender


    2008-10-19 09:51 . 2008-10-19 09:51 <DIR> d-------- C:\Documents and Settings\Administrator


    2008-10-17 20:51 . 2008-10-17 20:51 49,714 --a------ C:\Documents and Settings\Owner\javamon.exe


    2008-10-15 23:09 . 2008-10-15 23:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight


    2008-10-15 22:34 . 2008-08-14 18:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe


    2008-10-15 22:34 . 2008-08-14 18:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe


    2008-10-15 22:34 . 2008-08-14 17:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe


    2008-10-15 22:34 . 2008-08-14 17:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe


    2008-10-05 00:33 . 2008-10-05 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth


    2008-10-05 00:31 . 2008-10-05 00:31 <DIR> d-------- C:\Program Files\IVT Corporation


    2008-10-05 00:26 . 2004-09-21 18:18 148,830 --a------ C:\WINDOWS\system32\drivers\bcbthub.sys


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-10-19 15:02 81,984 ----a-w C:\WINDOWS\system32\bdod.bin


    2008-10-04 16:31 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-09-16 10:38 --------- d-----w C:\Program Files\Tudou


    2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys


    2008-09-13 16:32 --------- d-----w C:\Program Files\LittleFighter2


    2008-09-09 23:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink


    2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys


    2008-08-31 04:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA


    2008-08-31 04:35 --------- d-----w C:\Program Files\DNA


    2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll


    2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe


    2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe


    2008-08-03 04:34 45,056 ----a-w C:\WINDOWS\system32\sstunst3.exe


    2008-08-02 06:12 315,392 ----a-w C:\WINDOWS\HideWin.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]


    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]


    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]


    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]


    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]


    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]


    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]


    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]


    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]


    "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-27 97357]


    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]


    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]


    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-19 49152]


    "snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2004-07-30 286720]


    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-03 185896]


    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]


    "RTHDCPL"="RTHDCPL.EXE" [2008-04-07 C:\WINDOWS\RTHDCPL.exe]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-10-05 1183744]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=gpkuqx.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    "UpdatesDisableNotify"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    "C:\\Program Files\\DNA\\btdna.exe"=


    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=


    "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=


    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-02 86792]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    .


    - - - - ORPHANS REMOVED - - - -


    HKLM-Run-Messenger Service - service.exe


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-10-19 23:03:04


    Windows 5.1.2600 Service Pack 3 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\IoctlSvc.exe


    C:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\system32\rundll32.exe


    .


    **************************************************************************


    .


    Completion time: 2008-10-19 23:05:29 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-10-19 15:05:25


    Pre-Run: 180,273,115,136 bytes free


    Post-Run: 183,337,361,408 bytes free


    140


    This is Hijackthis Log report:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:19:46 PM, on 10/19/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\RTHDCPL.EXE


    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe


    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe


    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe


    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\vsnpstd3.exe


    C:\Program Files\Common Files\Real\Update_OB\realsched.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\MSN Messenger\msnmsgr.exe


    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe


    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\IoctlSvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\UPHClean\uphclean.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\MSN Messenger\usnsvc.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"


    O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti


    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"


    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe


    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"


    O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe


    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background


    O4 - Global Startup: BlueSoleil.lnk = ?


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217665387281


    O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://mjc7.asknlearn.com/databank/ims/{30...s/acuviewer.cab


    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7148 bytes

  • rootkit
    rootkit ✭✭✭
    edited October 2008

    Please put the folder(s) in an archive, protected with the password infected.


    Attach the archive in your next post here.(if it's too big, upload it on www.rapidshare.com and leave here the download link)


    C:\Qoobox


    To other users: DO NOT DOWNLOAD THE ARHIVE !


    IT HAS MALWARE INSIDE !


    Use your license and upgrade to BitDefender 2009 :)

  • This is the folder.


    Alot of thanks to you!! <img class=" /> :lol:


    By the way, has the malware been cleared?? And after this, can i delete combofix?

    /applications/core/interface/file/attachment.php?id=3611" data-fileid="3611" rel="">MALWARE_.rar

  • rootkit
    rootkit ✭✭✭
    edited October 2008

    Yes, delete Combofix and the folder C:\Qoobox :)


    Thank you for the samples :)

  • oh ok !!!! THANKS YOU VERY MUCH!!!! :rolleyes: :rolleyes:

  • rootkit
    rootkit ✭✭✭

    Ok :)