Jump to content

Malwarebytes

system configuration backup

- - - - -
Started by Harry1, Mar 12 2009 10:43 PM

3 replies to this topic

#1
Harry1
Posted 12 March 2009 - 10:43 PM

    New Member

  • Members
  • Pip
  • 3 posts
Does my system have a trojan or is it ok?

system configuration backup is coming up as a trojan and the file associated with this in the registry (sysdate.exe) seems to be bad. sysdate.exe is nowhere on my system as I deleted everything from c:\recycler.

Anti-malware finds a registry entry infected but will not delete it.

Here's my anit-malware logfile and hijackthis logfile:

Malwarebytes' Anti-Malware 1.34
Database version: 1837
Windows 5.1.2600 Service Pack 2

13/03/2009 12:37:55 AM
mbam-log-2009-03-13 (00-37-54).txt

Scan type: Quick Scan
Objects scanned: 74622
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system configuration backup (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:11 AM, on 13/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.i-choice....y/user_site.asp
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5D7C8712-AAB5-4766-8E18-DC9A84F564E5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [System configuration backup] C:\RECYCLER\S-1-5-21-8837846407-3411793962-273322305-3591\sysdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9513 bytes


-------------------------------------------------------------------------------------------------------------------------------------------

Thanks for any assistance.

#2
AdvancedSetup
Posted 13 March 2009 - 05:42 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please uninstall your Peer2Peer Torrent file sharing software if you want us to assist you. These programs can infect the box faster then we can clean them so it's a waste of time to work on it till you've removed them.

Then run this please.



[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
Harry1
Posted 13 March 2009 - 06:08 PM

    New Member

  • Members
  • Pip
  • 3 posts
Hi.

Here's the logfile and the zipped attach file.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Harry at 19:50:10.93 on Fri 13/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1418 [GMT 2:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Harry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.i-choice.com.cy/user_site.asp
uInternet Settings,ProxyOverride = <local>
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {140BD8E3-C167-11D4-B4A3-080000180323} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {5D7C8712-AAB5-4766-8E18-DC9A84F564E5} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: BrowserHelper Class: {ebcdda60-2a68-11d3-8a43-0060083cfb9c} - c:\windows\system32\nzdd.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [System configuration backup] c:\recycler\s-1-5-21-8837846407-3411793962-273322305-3591\sysdate.exe
uRunOnce: [Ad Muncher Reboot Required]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRunOnce: [Cleanup] C:\cleanup.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\harry\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Download all links with IDM
IE: Download FLV video content with IDM
IE: Download linked FLV with GetFLV - c:\program files\getflv\iemenu\DownloadLinkFLV.htm
IE: Download with IDM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: PRISMAPI.DLL - PRISMAPI.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-7-31 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-7-31 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-7-31 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-7-31 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-7-31 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-7-31 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-7-31 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-7-31 4960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-5-28 61526]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-7-11 14976]
R3 MaplomL;MaplomL;c:\windows\system32\drivers\maploml.sys [2008-8-23 36288]
S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2006-7-5 371349]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-7-21 2560]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\harry\locals~1\temp\asbp2poa.sys --> c:\docume~1\harry\locals~1\temp\asbp2poa.sys [?]

=============== Created Last 30 ================

2009-03-11 23:55 <DIR> --d----- C:\cmdcons
2009-03-11 23:54 161,792 a------- c:\windows\SWREG.exe
2009-03-11 23:54 98,816 a------- c:\windows\sed.exe
2009-03-11 22:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-11 22:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-11 22:16 <DIR> --d----- c:\docume~1\harry\applic~1\SUPERAntiSpyware.com
2009-03-11 20:56 <DIR> --d----- C:\autoruns
2009-03-11 01:16 <DIR> --d----- c:\docume~1\harry\applic~1\Malwarebytes
2009-03-11 01:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-11 01:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 01:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 01:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 01:01 54,472 a------- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2009-03-11 01:01 54,472 a------- c:\windows\system32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2009-03-11 01:01 788 a------- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2009-03-10 03:41 <DIR> --d----- C:\New Folder (2)
2009-03-10 02:55 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-10 02:55 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-10 02:55 17,408 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-03-10 02:55 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-03-10 02:53 35,871 a------- c:\windows\system32\dllcache\wbfirdma.sys
2009-03-10 02:52 113,762 a------- c:\windows\system32\dllcache\usrpda.sys
2009-03-10 02:51 216,064 a------- c:\windows\system32\dllcache\um34scan.dll
2009-03-10 02:50 81,408 a------- c:\windows\system32\dllcache\tgiul50.dll
2009-03-10 02:49 48,736 a------- c:\windows\system32\dllcache\srwlnd5.sys
2009-03-10 02:48 45,568 a------- c:\windows\system32\dllcache\smb3w.dll
2009-03-10 02:47 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-03-10 02:46 210,496 a------- c:\windows\system32\dllcache\s3mvirge.dll
2009-03-10 02:45 20,736 a------- c:\windows\system32\dllcache\ramdisk.sys
2009-03-10 02:40 482,304 a------- c:\windows\system32\dllcache\pintlgnt.ime
2009-03-10 02:40 175,104 a------- c:\windows\system32\dllcache\pintlcsa.dll
2009-03-10 02:40 70,144 a------- c:\windows\system32\dllcache\pintlphr.exe
2009-03-10 02:40 53,760 a------- c:\windows\system32\dllcache\pintlcsd.dll
2009-03-10 02:40 121,344 a------- c:\windows\system32\dllcache\phvfwext.dll
2009-03-10 02:40 79,360 a------- c:\windows\system32\dllcache\phon.ime
2009-03-10 02:40 19,840 a------- c:\windows\system32\dllcache\philtune.sys
2009-03-10 02:40 92,416 a------- c:\windows\system32\dllcache\phildec.sys
2009-03-10 02:40 173,696 a------- c:\windows\system32\dllcache\philcam2.sys
2009-03-10 02:38 54,186 a------- c:\windows\system32\dllcache\otcsercb.sys
2009-03-10 02:37 27,936 a------- c:\windows\system32\dllcache\n9i3d.sys
2009-03-10 02:36 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-03-10 02:35 58,880 a------- c:\windows\system32\dllcache\m3092dc.dll
2009-03-10 02:34 8,704 a------- c:\windows\system32\dllcache\kbdjpn.dll
2009-03-10 02:33 20,480 a------- c:\windows\system32\dllcache\icam5ext.dll
2009-03-10 02:32 199,711 a------- c:\windows\system32\dllcache\hsf_faxx.sys
2009-03-10 02:31 17,408 a------- c:\windows\system32\dllcache\gpr400.sys
2009-03-10 02:30 137,088 a------- c:\windows\system32\dllcache\essm2e.sys
2009-03-10 02:29 8,704 a------- c:\windows\system32\dllcache\dot4scan.sys
2009-03-10 02:28 27,648 a------- c:\windows\system32\dllcache\cyyports.dll
2009-03-10 02:27 195,618 a------- c:\windows\system32\dllcache\c_10002.nls
2009-03-10 02:26 10,880 a------- c:\windows\system32\dllcache\admjoy.sys
2009-03-09 22:29 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-09 22:17 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-03-09 20:14 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-09 05:58 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-09 05:58 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 04:26 2,148 a------- c:\windows\system32\wpa.dbl
2009-03-08 17:25 <DIR> --d----- c:\program files\Super Internet TV
2009-03-08 03:48 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}(2)
2009-03-07 22:48 3 a------- c:\windows\system32\bactname
2009-03-07 18:58 <DIR> --d----- c:\program files\Trend Micro
2009-02-24 23:05 <DIR> --d----- C:\Heroes of Might and Magic III Complete
2009-02-22 20:21 <DIR> --d----- c:\program files\vSoft
2009-02-22 20:13 1,772,288 a------- c:\docume~1\harry\applic~1\Integrator.exe
2009-02-12 17:30 <DIR> --d----- c:\program files\vanBasco's Karaoke Player

==================== Find3M ====================

2009-03-01 17:47 139,152 a------- c:\docume~1\harry\applic~1\GDIPFONTCACHEV1.DAT
2009-02-10 22:12 796,672 a------- c:\windows\GPInstall.exe
2009-02-09 20:56 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-01-28 19:06 98,304 a------- c:\windows\system32\CmdLineExt.dll
2008-12-24 17:18 1,969 a------- c:\windows\system32\mmf.sys
2008-12-22 15:48 2,396 a------- c:\windows\eReg.dat
2008-12-01 19:16 88 a--shr-- c:\docume~1\alluse~1\applic~1\BF835C99C3.sys
2008-12-01 19:16 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-08-23 19:39 94,208 a------- c:\docume~1\harry\applic~1\ezplay.sys
2008-08-23 19:38 47,360 a------- c:\docume~1\harry\applic~1\pcouffin.sys
2008-06-17 19:28 38 a------- c:\documents and settings\harry\A.BAT
1999-09-26 15:25 589,824 a------- c:\documents and settings\harry\VOBMerger.exe
2008-03-10 04:06 66,936 a--sh--- c:\windows\dlinfo_0.drv
2006-11-08 21:14 104 ---shr-- c:\windows\system32\C3995C83BF.sys

============= FINISH: 19:50:34.64 ===============

Attached Files


#4
AdvancedSetup
Posted 14 March 2009 - 07:13 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
All of these programs are OLD and either have or may have exploited code. You should remove them and update to current versions if possible when we're done.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Macromedia Flash 5
Macromedia Flash Player 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4

This Anti-Virus AVG 7.5 is old and should be updated to version 8 or another AV application.

STEP 01
These are exploited and MUST be removed now
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java


STEP 02
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
[/indent]

STEP 03
    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

    If you're already running inside Windows you can enable it the following way.

  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

STEP 04
RootRepeal - Rootkit Detector
[indent]
  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us