|
| | | New Member
Group: Forum Members
Last Login: 8/5/2008 4:57 PM
Posts: 42, Visits: 107 |
| XP PRO SP2
I am using Sygate Personal Firewall 5.6 build 2808
I have Spybot - Search & Destroy version 1.5.2.0
Sygate Personal Firewall reports; Application Hijacking, Severity=Critical, Remote Host=77.232.91.127, The full path of
Spybot is listed.
Sygate displays Spybot as Application Hijacking for several minutes anywhere from 5 to 20 minutes, so far.
Sygate eventually list the Security Type for each previous Spybot entry as "Port Scan" and changes the Severity to Minor
and changes the Remote Host to 194.168.8.100
In the past 60 minutes (while connected to the internet) Windows Media Player 11 has automatically launched 4 times.
The first time WMP launched; I did not see the video, the second time; it played a pornographic video, the third time;
a blank 3 second video, the fourth time; a pornographic video. I disabled my network adapter and Windows media player
has not launched since.
I have done a scan using Spybot Search and Destroy; it found nothing.
Task Manager, CPU Usage is fluctuating between 5% to 100%, the graph displays drastic peaks and troughs, at present I have
Firefox, Bitdefender, Spybot Search and Destroy and Sygate Personal Firewall running. These applications when running
at the same time; usually do not consume more than 15% usage.
Checked MSCONFIG - there are 5 entries for svchost, all enabled.
there are 6 entries enabled but Startup item column is blank, the "location" for the blank items is
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I am able to use all my usually applications with only one noticeable interruptions except whatever application I am
using; within a few seconds - the title bar will go grey and the application becomes inactive however no other
application launches. Since I have disabled my network adapter; this has not happened.
Another peculiarity - a dialogue bx appeared while I was connected to the net, it had not reference to any application
or website but it was clearly spyware because it display some text claiming that my computer is infected, which is true
because it's no doubt that vendor of that alert - has infected my PC. I did not click on, I used Alt+Tab but it was not
listed, it disappeared without any action from me.
About 45 minutes previous to all these things; my computer would play an alert similar to when you when you instruct a
computer to perform an action but it returns a message saying that action is not possible. No dialogue box appear on
screen to accompany this alert.
I have not recently installed any new software apart from a FireFox addon "BlockSite 0.7" however this was 2 days ago.
I have not installed any other browser plugins.
I just enabled my network adapter and the CPU usage is even more sporadic and Firefox is hanging but not severely.
I've used the ADS Spy tool in HijackThis but it found nothing.
Here is the result of HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 21:00:58, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\z_Drivers\svchost.exe
F:\SFW\SECURE\HijackThis.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\z_Drivers\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://techwhims.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [DDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [alpha] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [beta] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [gamma] c:\z_Drivers\svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) |
| |
| | | 
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 29,010, Visits: 54,734 |
| Welcome
Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm
Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
* Double click on SDFix on your desktop,and install the fix to C:\
* You might want to print/copy the following as you need to be in Safe Mode from here on.
* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop
Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.
Also post a new Hijackthis log please.
________________________________________
ASAP & UNITE member since 2006
 
|
| |
| | | New Member
Group: Forum Members
Last Login: 8/5/2008 4:57 PM
Posts: 42, Visits: 107 |
| Followed the instructions, I disabled all startup items before using SDFix however svchost.exe is still enabled, all 5 entries plus the 6 blank entries.
I ran both applications without any noticeable problems.
Here are the results
SDFix: Version 1.182
Run by Poi on 15/05/2008 at 21:54
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
dnlsvc
msdirect
Path :
"C:\DOCUME~1\Poi\LOCALS~1\Temp\dnlsvc.exe"
\??\C:\WINDOWS\system32\msdirect.sys
dnlsvc - Deleted
msdirect - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\msdirect.sys - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 22:00:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:73,77,9d,44,52,04,3a,96,64,2c,89,59,f4,05,3c,2c,b1,76,a7,38,16,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,25,5d,36,3f,12,c8,45,c9,6d,c9,2b,96,e3,42,a1,87,db,..
"khjeh"=hex:91,6e,b0,e0,15,28,5d,87,f6,0a,45,2e,2f,5f,db,77,e8,a0,53,1a,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:71,4f,4c,8a,c1,fc,63,1e,3d,c3,12,7f,71,99,fc,44,96,b4,cc,df,e3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:73,77,9d,44,52,04,3a,96,64,2c,89,59,f4,05,3c,2c,b1,76,a7,38,16,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,25,5d,36,3f,12,c8,45,c9,6d,c9,2b,96,e3,42,a1,87,db,..
"khjeh"=hex:91,6e,b0,e0,15,28,5d,87,f6,0a,45,2e,2f,5f,db,77,e8,a0,53,1a,89,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:71,4f,4c,8a,c1,fc,63,1e,3d,c3,12,7f,71,99,fc,44,96,b4,cc,df,e3,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\UltraVNC\\vncviewer.exe"="C:\\Program Files\\UltraVNC\\vncviewer.exe:*:Enabled:vncviewer.exe"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled elivery Manager Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe"="C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe:*:Enabled:bsP2pHubDemo"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 16 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 16 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 12 Mar 2008 165,232 A..H. --- "C:\Documents and Settings\Poi\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"
Finished!
--------------------------------------------------------------------------
ComboFix 08-05-12.1 - Poi 2008-05-15 22:13:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT 1:00]
Running from: C:\Documents and Settings\Poi\Desktop\ComboFix.exe
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\Desktop_.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSDIRECT
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.
2008-05-15 21:49 . 2008-05-15 21:49d--------C:\WINDOWS\ERUNT
2008-05-15 21:44 . 2008-05-15 22:05d--------C:\SDFix
2008-05-15 11:38 . 2008-05-15 11:38d--------C:\z_Drivers
2008-05-15 11:38 . 2008-05-15 14:43980--a------C:\0xf9.exe
2008-05-09 08:05 . 2008-05-09 08:05d--------C:\Documents and Settings\Poi\Application Data\Talkback
2008-05-02 18:25 . 2008-05-02 18:25d--------C:\Program Files\Rockstar Games
2008-04-28 22:23 . 2008-04-28 22:23d--------C:\Program Files\Hotspot Shield
2008-04-26 22:02 . 2008-04-26 22:04d--------C:\Documents and Settings\Poi\Application Data\Dimdim
2008-04-26 22:02 . 2005-11-27 19:2531,896--a------C:\WINDOWS\system32\drivers\dfmirage.sys
2008-04-26 22:02 . 2005-11-27 19:2530,360--a------C:\WINDOWS\system32\dfmirage.dll
2008-04-25 14:12 . 2004-08-30 14:25438,272--a------C:\WINDOWS\system32\vp6vfw.dll
2008-04-25 14:12 . 2004-12-10 10:06327,680--a------C:\WINDOWS\system32\vp6dec.ax
2008-04-25 14:12 . 2007-04-12 15:01118,832--a------C:\WINDOWS\system32\SHW32.DLL
2008-04-23 12:17 . 2008-04-23 13:06d--------C:\Program Files\PeerGuardian2
2008-04-22 10:31 . 2008-04-22 10:31dr-h-----C:\Documents and Settings\Poi\Application Data\SecuROM
2008-04-22 06:17 . 2008-04-22 08:42d--------C:\Program Files\Desktop Activity Recorder
2008-04-20 12:51 . 2008-04-20 12:51d--------C:\Program Files\OpenAL
2008-04-20 12:51 . 2008-04-20 12:51409,600--a------C:\WINDOWS\system32\wrap_oal.dll
2008-04-20 12:51 . 2008-04-20 12:51114,688--a------C:\WINDOWS\system32\OpenAL32.dll
2008-04-20 12:47 . 2008-04-20 12:47d--------C:\Program Files\Paradox Interactive
2008-04-19 00:30 . 2008-04-19 00:30d--------C:\Program Files\Network Stumbler
2008-04-18 20:04 . 2008-04-18 20:03737,280--a------C:\WINDOWS\iun6002.exe
2008-04-18 13:21 . 2008-04-18 13:21d--------C:\Documents and Settings\All Users\Application Data\Default
2008-04-17 16:43 . 2008-04-17 16:43107,888--a------C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 08:42 . 2008-04-17 08:42d--------C:\Program Files\BIGSPEED Peer-to-Peer SDK
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 20:2014----a-wC:\Documents and Settings\Poi\getfile.dat
2008-05-15 18:47---------d-----wC:\Documents and Settings\Poi\Application Data\OpenOffice.org2
2008-05-15 17:08---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 16:28---------d-----wC:\Program Files\BOINC
2008-05-14 10:54---------d-----wC:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-08 14:33---------d--h--wC:\Program Files\InstallShield Installation Information
2008-04-25 13:06---------d-----wC:\Program Files\EA Sports
2008-04-25 12:56---------d-----wC:\Program Files\Common Files\LogiShrd
2008-04-25 12:38---------d-----wC:\Documents and Settings\All Users\Application Data\Logishrd
2008-04-18 19:16---------d-----wC:\Program Files\Atheros
2008-04-17 13:40---------d-----wC:\Documents and Settings\Poi\Application Data\Hamachi
2008-04-13 18:51---------d-----wC:\Program Files\New Star Soccer 3
2008-04-11 00:44---------d-----wC:\Program Files\Project64 1.6
2008-04-10 13:19---------d-----wC:\Program Files\1964
2008-04-10 12:18---------d-----wC:\Program Files\mupen64 0.5
2008-04-09 20:07---------d-----wC:\Program Files\mupen64 0.4
2008-04-05 14:35---------d-----wC:\Program Files\Microsoft Silverlight
2008-03-28 12:13---------d-----wC:\Program Files\Safari
2008-03-28 12:13---------d-----wC:\Documents and Settings\Poi\Application Data\Apple Computer
2008-03-28 12:12---------d-----wC:\Program Files\Apple Software Update
2008-03-28 12:12---------d-----wC:\Documents and Settings\All Users\Application Data\Apple
2008-03-24 23:03---------d-----wC:\Documents and Settings\Poi\Application Data\Vso
2008-03-22 22:27---------d-----wC:\Program Files\VSO
2008-03-19 15:37---------d-----wC:\Documents and Settings\All Users\Application Data\Logitech
2008-03-19 15:07---------d-----wC:\Program Files\SiSoftware
2008-03-19 15:00---------d-----wC:\Program Files\Belarc
2008-03-18 17:32---------d--h--wC:\Documents and Settings\All Users\Application Data\{3DABBC31-9BB8-45D8-BE78-353E801E5DBA}
2008-03-18 17:32---------d-----wC:\Program Files\GGPO Client
2008-03-17 18:11---------d-----wC:\Program Files\mosaic
2008-03-16 21:05---------d-----wC:\Program Files\Windows Media Connect 2
2008-03-16 20:54---------d-----wC:\Program Files\Kontiki
2008-03-16 20:54---------d-----wC:\Program Files\Channel4
2008-03-16 20:54---------d-----wC:\Documents and Settings\All Users\Application Data\Channel4
2008-03-06 18:20691,545----a-wC:\WINDOWS\unins000.exe
2008-03-04 13:00811,776----a-wC:\WINDOWS\boinc.scr
.
------- Sigcheck -------
2007-12-21 00:32 359040 a14fafd66adbd55a86f17a37e5ec4263C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe" [2008-02-26 10:13 40960]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"alpha"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"beta"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"gamma"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SystemDriver"="" []
"FDriver"="" []
"ADriver"="" []
"CDriver"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"DDriver"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-12-07 03:21 124928 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"CDriver"= c:\z_Drivers\svchost.exe
"DDriver"= c:\z_Drivers\svchost.exe
"alpha"= c:\z_Drivers\svchost.exe
"beta"= c:\z_Drivers\svchost.exe
"gamma"= c:\z_Drivers\svchost.exe
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Poi^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Poi\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup
[HKLM\~\startupfolder\C:^DOCUME~1^Poi^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\DOCUME~1\Poi\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADriver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 22:50 88204 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 10:41 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alpha]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 10:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2005-06-20 13:10 421888 c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-05-09 13:19 8192 c:\progra~1\softwin\bitdef~1\bdnagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beta]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDriver]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 00:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDriver]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverLoad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FDriver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gamma]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-02-15 12:46 135168 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 10:42 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 10:42 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-10-15 20:40 2577632 C:\PROGRA~1\Sygate\SPF\smc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriverLoad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-10-08 10:21 55856 C:\Program Files\VMware\VMware Player\hqtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"uvnc_service"=2 (0x2)
"LexBceS"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-p2v"=2 (0x2)
"ThreadMaster"=2 (0x2)
"rpcapd"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"LVCOMSer"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"pr2aqvlb"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"dnlsvc"=2 (0x2)
"KService"=2 (0x2)
"XCOMM"=2 (0x2)
"SmcService"=2 (0x2)
"bdss"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SODCPreLoad"=C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 pe3aqvlb;XIII Century Environment Driver (pe3aqvlb);C:\WINDOWS\system32\drivers\pe3aqvlb.sys [2008-03-14 15:22]
R0 ps7aqvlb;XIII Century Synchronization Driver (ps7aqvlb);C:\WINDOWS\system32\drivers\ps7aqvlb.sys [2008-03-14 15:21]
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys [2007-01-30 20:41]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 19:25]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 22:25]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 pr2aqvlb;XIII Century Drivers Auto Removal (pr2aqvlb);C:\WINDOWS\system32\pr2aqvlb.exe svc []
S4 ThreadMaster;Thread Master;C:\WINDOWS\system32\ThreadMaster\ThreadMast.exe [2003-03-18 00:27]
S4 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml []
S4 uvnc_service;uvnc_service;"C:\Program Files\UltraVNC\WinVNC.exe" -service []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 22:17:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\soffice.exe
.
**************************************************************************
.
Completion time: 2008-05-15 22:20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 21:20:21
Pre-Run: 7,616,372,736 bytes free
Post-Run: 7,835,357,184 bytes free
277
-----------------------------------------------------------------------------------
In future please warn people to remove any headphones when using ComboFix, the two high pitch beeps at the start; are very unpleasant. |
| |
| | |
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 29,010, Visits: 54,734 |
| | |
| | | New Member
Group: Forum Members
Last Login: 8/5/2008 4:57 PM
Posts: 42, Visits: 107 |
| I had my headphones on because previous to this spyware problem, I was listening to a netcast.
Ran ComboFix and HijackThis without any noticeable problems.
The CPU Usage is back to normal, FireFox is responding well, no longer hanging and only one startup item enabled, ctfmon.exe
Problems are fixed, your help is much appreciated, thank you.
Here are the results
ComboFix 08-05-12.1 - Poi 2008-05-15 23:05:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT 1:00]
Running from: C:\Documents and Settings\Poi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Poi\Desktop\CFScript.txt
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
FILE ::
C:\0xf9.exe
C:\z_Drivers
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\0xf9.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.
2008-05-15 21:49 . 2008-05-15 21:49d--------C:\WINDOWS\ERUNT
2008-05-15 21:44 . 2008-05-15 22:05d--------C:\SDFix
2008-05-15 11:38 . 2008-05-15 11:38d--------C:\z_Drivers
2008-05-09 08:05 . 2008-05-09 08:05d--------C:\Documents and Settings\Poi\Application Data\Talkback
2008-05-02 18:25 . 2008-05-02 18:25d--------C:\Program Files\Rockstar Games
2008-04-28 22:23 . 2008-04-28 22:23d--------C:\Program Files\Hotspot Shield
2008-04-26 22:02 . 2008-04-26 22:04d--------C:\Documents and Settings\Poi\Application Data\Dimdim
2008-04-26 22:02 . 2005-11-27 19:2531,896--a------C:\WINDOWS\system32\drivers\dfmirage.sys
2008-04-26 22:02 . 2005-11-27 19:2530,360--a------C:\WINDOWS\system32\dfmirage.dll
2008-04-25 14:12 . 2004-08-30 14:25438,272--a------C:\WINDOWS\system32\vp6vfw.dll
2008-04-25 14:12 . 2004-12-10 10:06327,680--a------C:\WINDOWS\system32\vp6dec.ax
2008-04-25 14:12 . 2007-04-12 15:01118,832--a------C:\WINDOWS\system32\SHW32.DLL
2008-04-23 12:17 . 2008-04-23 13:06d |
| |
|
