Infected With Trojan.avkillers And Win32/wigon

Unknown · June 2008

Very persistent wigon trojan. If I boot up without internet connectivity it won't appear. As soon as I plug in the network cable I see in tcpview winlogon.exe spawning a single www connection, and upon that smtp connections from svchost.exe to multiple remote mail servers.

SDFix: Version 1.188
Run by Diaman on ¨ 06/06/2008 at 00:06

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\utils\sdfix\SDFix

Checking Services :

Name :
msupdate

Path :
f:\windows\system32\mssrv32.exe

msupdate - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

F:\WINDOWS\system32\WinCtrl32.dl_ - Deleted
F:\WINDOWS\xbqmfsed.exe - Deleted

Could Not Remove F:\WINDOWS\system32\mssrv32.exe
Could Not Remove F:\WINDOWS\system32\WinCtrl32.dll

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 00:11:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

F:\WINDOWS\system32\svchost.exe [1412] 0x88246DA0

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"f:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"f:\windows\system32\ESENT.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

Remaining Services :

msupdate

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="F:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

F:\WINDOWS\system32\mssrv32.exe Found
F:\WINDOWS\system32\WinCtrl32.dll Found

File Backups: - F:\utils\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- F:\PROGRA~1\SPYBOT~1\SDUPDATE.EXE
Mon 28 Jan 2008 5,146,448 A.SHR --- F:\PROGRA~1\SPYBOT~1\SPYBOTSD.EXE
Mon 28 Jan 2008 2,097,488 A.SHR --- F:\PROGRA~1\SPYBOT~1\TEATIMER.EXE
Tue 15 Nov 2005 78,104 ..SHR --- F:\PROGRA~1\AUTODESK\AUTODE~1\SETUP.EXE
Tue 15 Nov 2005 12,912 A.SHR --- F:\PROGRA~1\AUTODESK\AUTODE~1\_SETUPX.DLL
Thu 23 Jan 2003 65,952 ..SHR --- F:\PROGRA~1\AUTODESK\AUTODE~2\SETUP.EXE
Thu 8 May 2008 0 A..H. --- F:\WINDOWS\SOFTWA~1\DOWNLOAD\385CB6~1\BIT1.TMP
Thu 24 Jan 2008 0 A..H. --- F:\WINDOWS\SOFTWA~1\DOWNLOAD\523D05~1\BIT2.TMP
Mon 12 Feb 2007 3,096,576 A..H. --- F:\DOCUME~1\DIAMAN\APPLIC~1\U3\TEMP\LAUNCH~1.EXE

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 00:21:58, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\Program Files\Logiciel\eCM\scktsrvr.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
F:\Program Files\Nikon\NkView5\NkvMon.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\WINDOWS\system32\svchost.exe
F:\utils\FirefoxPortable\App\firefox\firefox.exe
F:\Program Files\Spyware Doctor\pctsGui.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {189A78B1-CEB8-45FD-9C12-4B9C8A965A58} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7156D971-86B9-447F-BB5B-F3DF97A83F79} - (no file)
O2 - BHO: (no name) - {E0026215-403B-41C2-8874-BD288321446C} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJbArpP - F:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WinCtrl32 - F:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - f:\windows\system32\mssrv32.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Borland Socket server (SocketServer) - Borland Software Corporation - F:\Program Files\Logiciel\eCM\scktsrvr.exe

chiaz · June 2008

Hello, and welcome to the Icrontic Forums.

First of all, you are not running the correct version of HijackThis.

Please delete the one you have now.

Then:
Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Post the log in your new reply.

Note:
1) Don't use the Analyse This button, its findings are dangerous if misinterpreted.
2) Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

nexxer · June 2008

Oh it's part of trendmicro now? I will return with the new data, thanks

nexxer · June 2008

I ran malwarebytes' antimalware and it found and deleted 9 objects. My initial impression is that there is no other virus or trojan on this system. I do not see any connections initiated, nor any strange open ports.

Pasting logs below:

Malwarebytes' Anti-Malware 1.14
Database version: 829

4:52:47 μμ 8/6/2008
mbam-log-6-8-2008 (16-52-47).txt

Scan type: Quick Scan
Objects scanned: 38406
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
F:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nmwegbsf.btqp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nmwegbsf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
F:\WINDOWS\system32\Process.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> Delete on reboot.

Finally, Hijackthis after all the cleaning:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:29:21, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
F:\Program Files\Nikon\NkView5\NkvMon.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Logiciel\eCM\scktsrvr.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\imapi.exe
F:\utils\FirefoxPortable\App\firefox\firefox.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {189A78B1-CEB8-45FD-9C12-4B9C8A965A58} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7156D971-86B9-447F-BB5B-F3DF97A83F79} - (no file)
O2 - BHO: (no name) - {E0026215-403B-41C2-8874-BD288321446C} - (no file)
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJbArpP - F:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Borland Socket server (SocketServer) - Borland Software Corporation - F:\Program Files\Logiciel\eCM\scktsrvr.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

chiaz · June 2008

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

nexxer · June 2008

Someone else told me to run ComboFix as well, and provided a CFScript.txt to run with it to delete some remnants of the viruses that were removed.

ComboFix 08-06-07.3 - Diaman 2008-06-09 13:52:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.1624 [GMT 3:00]
Running from: F:\utils\ComboFix.exe
Command switches used :: F:\utils\CFScript-2.txt
* Created a new restore point
* Resident AV is active

FILE ::
F:\WINDOWS\eaps.exe
F:\WINDOWS\system32\phc788j0e98v.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Diaman\Application Data\shc188j0e98v
F:\WINDOWS\eaps.exe
F:\WINDOWS\system32\phc788j0e98v.bmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_WINBG40

\Legacy_WINEJ27

\Service_Winaf27

\Service_Winbg40

\Service_Windi62

\Service_Winej27

\Service_Winjo27

\Service_Winos61

\Service_Winqv16

\Service_Winqv72

\Service_Winua04

\Service_Winwc40

((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 18:10 . 2008-06-08 18:10 0 --a

F:\WINDOWS\nsreg.dat
2008-06-08 16:40 . 2008-06-08 16:40 <DIR> d

F:\Program Files\Trend Micro
2008-06-06 00:19 . 2005-08-25 18:19 115,920 --a

F:\WINDOWS\system32\MSINET.OCX
2008-06-06 00:18 . 2008-06-06 00:19 <DIR> d

F:\Program Files\SpywareBlaster
2008-06-06 00:05 . 2008-06-06 00:05 <DIR> d

F:\WINDOWS\ERUNT
2008-06-05 22:43 . 2008-06-05 22:43 <DIR> d

F:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 22:43 . 2008-06-05 22:43 <DIR> d

F:\Documents and Settings\Diaman\Application Data\Malwarebytes
2008-06-05 22:43 . 2008-06-05 22:43 <DIR> d

F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 22:43 . 2008-05-30 01:06 34,296 --a

F:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 22:43 . 2008-05-30 01:06 15,864 --a

F:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 21:29 . 2007-09-06 00:22 289,144 --a

F:\WINDOWS\system32\VCCLSID.exe
2008-06-05 21:29 . 2006-04-27 17:49 288,417 --a

F:\WINDOWS\system32\SrchSTS.exe
2008-06-05 21:29 . 2008-05-29 09:35 86,528 --a

F:\WINDOWS\system32\VACFix.exe
2008-06-05 21:29 . 2008-05-18 21:40 82,944 --a

F:\WINDOWS\system32\IEDFix.exe
2008-06-05 21:29 . 2008-05-18 21:40 82,944 --a

F:\WINDOWS\system32\404Fix.exe
2008-06-05 21:29 . 2004-07-31 18:50 51,200 --a

F:\WINDOWS\system32\dumphive.exe
2008-06-05 21:29 . 2007-10-04 00:36 25,600 --a

F:\WINDOWS\system32\WS2Fix.exe
2008-06-05 21:09 . 2008-06-05 21:08 512,096 --a

F:\WINDOWS\system32\drivers\amon.sys
2008-06-05 21:09 . 2008-06-05 21:08 298,104 --a

F:\WINDOWS\system32\imon.dll
2008-06-05 21:09 . 2008-06-05 21:08 15,424 --a

F:\WINDOWS\system32\drivers\nod32drv.sys
2008-06-05 21:08 . 2008-06-05 21:18 <DIR> d

F:\Program Files\ESET
2008-06-05 21:00 . 2008-06-08 17:04 <DIR> d

F:\Program Files\Spyware Doctor
2008-06-05 21:00 . 2008-06-05 21:00 <DIR> d

F:\Documents and Settings\Diaman\Application Data\PC Tools
2008-06-05 21:00 . 2007-12-10 13:53 81,288 --a

F:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-05 21:00 . 2007-12-10 13:53 66,952 --a

F:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-05 21:00 . 2008-02-01 11:55 42,376 --a

F:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-05 21:00 . 2007-12-10 13:53 29,576 --a

F:\WINDOWS\system32\drivers\kcom.sys
2008-06-05 20:38 . 2008-06-05 20:39 <DIR> d

F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-05 20:35 . 2008-06-05 20:35 <DIR> d

F:\Deckard
2008-06-05 20:34 . 2008-06-05 20:34 106 --a

F:\delete.bat
2008-06-05 20:07 . 2008-06-05 20:33 <DIR> d

F:\WINDOWS\BDOSCAN8
2008-06-05 18:52 . 2008-06-05 18:52 <DIR> d

F:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-05 18:35 . 2008-06-08 18:05 <DIR> d

F:\Program Files\SUPERAntiSpyware
2008-06-05 18:35 . 2008-06-08 18:05 <DIR> d

F:\Documents and Settings\Diaman\Application Data\SUPERAntiSpyware.com
2008-06-05 18:35 . 2008-06-05 18:35 <DIR> d

F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-05 18:25 . 2008-06-05 21:30 3,428 --a

F:\WINDOWS\system32\tmp.reg
2008-06-05 17:55 . 2008-06-05 17:54 102,664 --a

F:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-05 17:54 . 2008-06-05 18:16 <DIR> d

F:\Documents and Settings\Diaman\.housecall6.6
2008-06-05 17:53 . 2008-06-09 13:52 <DIR> d

F:\utils
2008-06-05 17:52 . 2008-06-05 17:52 <DIR> d

F:\WINDOWS\Sun
2008-06-05 17:48 . 2004-12-06 21:31 49,265 --a

F:\WINDOWS\system32\jpicpl32.cpl
2008-06-05 17:47 . 2008-06-05 17:48 <DIR> d

F:\Program Files\Java
2008-06-05 17:47 . 2008-06-05 17:47 <DIR> d

F:\Program Files\Common Files\Java
2008-06-05 16:38 . 2008-06-08 17:20 <DIR> d-a

F:\Documents and Settings\All Users\Application Data\TEMP
2008-06-05 16:35 . 2008-06-05 16:35 78,240 --a

F:\WINDOWS\system32\drivers\FILEM701.SYS
2008-06-05 16:20 . 2008-06-05 16:20 <DIR> d

F:\Documents and Settings\Administrator
2008-06-05 15:53 . 2008-06-08 18:03 <DIR> d

F:\Program Files\Spybot - Search & Destroy
2008-06-05 15:53 . 2008-06-08 18:02 <DIR> d

F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 11:26

d

w F:\Documents and Settings\Diaman\Application Data\U3
2008-06-06 11:06

d

w F:\Program Files\FotoStation Easy
2008-05-06 17:47

d

w F:\Documents and Settings\Diaman\Application Data\Apple Computer
2008-04-14 09:22

d

w F:\Program Files\Engineering Solutions
.

((((((((((((((((((((((((((((( snapshot@2008-06-08_17.24.41.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 14:23:14 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-06-09 10:55:02 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-03-25 03:21:18 2,889,088 ----a-w F:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w F:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-06-08 16:06:55 70,264 ----a-w F:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-06-09 10:55:17 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_750.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 12:33 16132608 F:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:00 33280 F:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-05 16:25 1626112 F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 15:00 33280 F:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31 36975]
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2008-06-05 21:08 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FotoStation Easy AutoLaunch.lnk - F:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe [2008-02-01 13:15:36 49152]
NkvMon.exe.lnk - F:\Program Files\Nikon\NkView5\NkvMon.exe [2008-02-01 13:15:11 233472]
Picture Package Menu.lnk - F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-02-01 11:13:38 151552]
Picture Package VCD Maker.lnk - F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2008-02-01 11:13:35 106496]
Service Manager.lnk - F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 SocketServer;Borland Socket server;F:\Program Files\Logiciel\eCM\scktsrvr.exe [2007-04-04 16:50]
S3 gdrv;gdrv;F:\WINDOWS\gdrv.sys [2007-11-12 16:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 13:55:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
F:\Program Files\ESET\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-06-09 13:56:42 - machine was rebooted [Diaman]
ComboFix-quarantined-files.txt 2008-06-09 10:56:40
ComboFix2.txt 2008-06-08 14:24:52

Pre-Run: 7,834,357,760 bytes free
Post-Run: 7,828,860,928 bytes free

158 --- E O F --- 2008-05-28 11:49:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:39, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
F:\Program Files\Nikon\NkView5\NkvMon.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
F:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
F:\WINDOWS\system32\drivers\CDAC11BA.EXE
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Logiciel\eCM\scktsrvr.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.tee.gr/portal/page/portal/TEE_HOME
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk = F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - F:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Borland Socket server (SocketServer) - Borland Software Corporation - F:\Program Files\Logiciel\eCM\scktsrvr.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 5451 bytes

chiaz · June 2008

Please run HijackThis and place a checkmark by the following entries:
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O24 - Desktop Component 0: Privacy Protection - (no file)

Close all other windows except HijackThis and press "Fix checked". Then close HijackThis and reboot the computer.

Please run Panda ActiveScan.

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Attach the ActiveScan report in your next reply, along with a new HijackThis log.

nexxer · June 2008

Alright, I removed O2 and O9 but O24 keeps reappearing after Fix Checked (even after a restart). Any ideas?

chiaz · June 2008

Please boot into Safe Mode and try removing those entries using HijackThis.

Then restart the computer again, and run Panda ActiveScan.

nexxer · June 2008

I tried safe mode without success. Turns out it was an Active Desktop item, which I removed.

Thanks alot for all your help, it is much appreciated!

chiaz · June 2008

You're welcome. Glad I could be of assistance. The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead (grin)

Meanwhile nexxer, please do the following....

This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

ComboFix /u

Finally,
I will now post a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of malware problems.

You may have already taken some of these steps:

1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.

2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article at MalwareRemoval.com. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
If Automatic Updates is turned off, please turn it on.

4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

So why is ActiveX so dangerous that you have to increase the security for it?

When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive. Would you run just any random file downloaded off a web site without knowing what it is and what it does?

5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

Periodically check for updates.

6. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm. It is one of the most-used firewalls around the world, and is truly dependable.
Other alternatives are: Comodo firewall, Sunbelt Kerio firewall
A tutorial on understanding and using firewalls may be found here

7. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

8. You might consider installing Mozilla / Firefox. It has been said to be safer than Internet Explorer. Also it comes along with a good popup blocker.
http://www.mozilla.org/

9. Install spyware detection and removal programs:
SuperAntiSpyware:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Spybot S&D:
http://www.safer-networking.org/en/download/index.html

Use SuperAntiSpyware and Spybot S&D to regularly scan your system for and remove many forms of spyware/malware.

10. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

11. If I have helped you, you may consider donating a sum of money through Paypal to parasite@parasitedb.com to keep up my efforts. Note that this is entirely voluntary, and have no bearing on any future help that you may require.

12. You may also consider Joining Team 93 and fold for a cure.

Good luck, and happy and safe surfing!

Infected With Trojan.avkillers And Win32/wigon

Comments