Forum Home
Press F1
Thread ID: 88380	2008-03-25 12:27:00	ntos.exe virus, HJT log posted, pls help, thank you.	vladmir (13538)	Press F1

Post ID	Timestamp	Content	User
652701	2008-03-25 12:27:00	Hello all. This is my brothers laptop. He started getting warnings in Zonealarm firewall ,the picture is posted below: img181.imagevenue.com Firewall is on, but alerts of outbound email attachments etc. are switched off, as they are continiously popping up, and if you deny them,the internet connection dosent work. In hijackthis log, ntos.exe process comes up. My brother has changed his banking and email passwords from my clean computer,so hopefully even if with the stolen data, nothing will be gained ( i hope) just wanted to add another picture. It is a "warning! spyware Detected on your computer" message. please view it here: img127.imagevenue.com Would really appreciate help in analysing this logfile, thank you. XP+sp2 installed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:45:59 PM, on 3/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe C:\WINDOWS\system32\ESB.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\BluetoothAuthorizationAgent.ex e C:\WINDOWS\explorer.exe C:\Program Files\Net4India\Net4Connect.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\ntos.exe, O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\system32\COMET.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: QuickTalk 2.1 - {CF26FAC0-7D4E-46D8-AE64-B277B11443AC} - C:\WINDOWS\system32\iesearch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys Logic PC Camera Device\GenePccMon.exe O4 - HKLM\..\Run: [ESB] C:\WINDOWS\system32\ESB.EXE O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.ex e O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F61396-ECBB-4A89-B15A-EACFE89765E9}: NameServer = 10.24.0.2,xxx.xx.xxx.xx O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 4967 bytes	vladmir (13538)
652702	2008-03-25 19:25:00	Welcome Vladmir, run HJT again tick these then tick fix checked O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\system32\COMET.DLL Get rogueremover in my sig, update it then click on scan O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll <-- delete this file after you reboot Uninstall all versions of Sun Java, yours is out of date update is in my sog I would also install an AV program. Try Avast Home, its free. I would also get trojan remover its in my sig. Install and upodate it then click on scan. Then select all options under utilities	Speedy Gonzales (78)
652703	2008-03-25 23:38:00	What you have is a deep trojan that gets you personal deltails like banking etc so it needs to come out pronto . Please download SDFix from here ( . andymanchesta . com/RemovalTools/SDFix . exe" target="_blank">downloads . andymanchesta . com) and save it to your desktop Double click SDFix . exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter . Choose your usual account . Open the extracted SDFix folder and double click RunThis . bat to start the script . Type Y to begin the cleanup process . It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot . Press any Key and it will restart the PC . When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons . Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report . txt (Report . txt will also be copied to Clipboard ready for posting back on the forum) . Please copy and paste that log in your next reply . ================================= Ok . We need to download ComboFix . exe . This will give a better view to the files running and also hidden on your computer . Please visit this webpage for download links, and instructions for running the tool ( . bleepingcomputer . com/combofix/how-to-use-combofix" target="_blank">www . bleepingcomputer . com) When the tool is finished, it will produce a report for you . Please copy and paste the "C:\ComboFix . txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require . Caution: Never run and remove files with Combofix unless supervised by a security analyst . NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security . If this is an issue or makes it difficult for you - please let me know .	Pancake (6359)
652704	2008-03-26 07:34:00	Thank you both Speedy Gonzales and Pancake for your helpful replys! They say "too many cooks spoil the broth", so Pancake, im going to go with you on this one, so automatically i will not follow the instructions of Speedy Gonzales, as helpful as they are im sure . :) ok, first i will post the SDfix log, then the Combofix Log, and lastly the updated HJT log . So here goes: SDFix: Version 1 . 161 Run by Administrator on Wed 03/26/2008 at 12:24 PM Microsoft Windows XP [Version 5 . 1 . 2600] Running From: C:\SDFix Checking Services : Name: cb34336532 sb24640532 XVW68 Path: %SystemRoot%\System32\svchost . exe -k netsvcs %SystemRoot%\System32\svchost . exe -k netsvcs System32\Drivers\Xvw68 . sys cb34336532 - Deleted sb24640532 - Deleted XVW68 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default Desktop Wallpaper Rebooting Service XVW68 - Deleted after Reboot Checking Files : Trojan Files Found: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0 . dat - Contains Links to Malware Sites! - Deleted C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1 . dat - Contains Links to Malware Sites! - Deleted C:\WINDOWS\SYSTEM32\BQLONA~1 . BMP - Deleted C:\WINDOWS\SYSTEM32\EHSFAPCR . BMP - Deleted C:\WINDOWS\SYSTEM32\GBALSR . BMP - Deleted C:\WINDOWS\SYSTEM32\TGRIPG~1 . BMP - Deleted C:\-15966~1 - Deleted C:\WINDOWS\system32\iesearch . dll - Deleted C:\WINDOWS\system32\winservcs32 . dll - Deleted C:\WINDOWS\system32\WLCtrl32 . dll - Deleted C:\WINDOWS\system32\ntos . exe - Deleted C:\WINDOWS\system32\wsnpoem\audio . dll - Deleted C:\WINDOWS\system32\wsnpoem\video . dll - Deleted C:\WINDOWS\system32\drivers\XVW68 . sys - Deleted Folder C:\WINDOWS\system32\wsnpoem - Removed Removing Temp Files ADS Check : Final Check : catchme 0 . 3 . 1344 . 2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2008-03-26 12:29:42 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden services & system hive . . . disk error: C:\WINDOWS\system32\config\system, 3 scanning hidden registry entries . . . disk error: C:\WINDOWS\system32\config\software, 3 disk error: C:\Documents and Settings\USER\ntuser . dat, 3 scanning hidden files . . . disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr . exe"="%windir%\\system32\\sessmgr . exe:*:enabled:@xpsp2re s . dll,-22019" "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil . exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil . exe:*:Enabled: BlueSoleil" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr . exe"="%windir%\\system32\\sessmgr . exe:*:enabled:@xpsp2re s . dll,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups . zip Files with Hidden Attributes : Fri 5 Oct 2007 201,133 A . SH . --- "C:\ntdetec1\cmrss . exe" Fri 5 Oct 2007 201,407 A . SH . --- "C:\ntdetec1\ntdetec1 . exe" Fri 5 Oct 2007 201,289 A . SH . --- "C:\ntdetec1\run . exe" Fri 5 Oct 2007 201,369 A . SH . --- "C:\ntdetec1\shell32 . exe" Mon 5 Nov 2007 251,797 A . SH . --- "C:\ntdetec1\child\ntdetec1 . exe" Finished! __________________________________________________ ____________ ComboFix 08-03-25 . 2 - USER 2008-03-26 12:52:26 . 1 - NTFSx86 Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 618 [GMT 5 . 5:30] Running from: C:\Documents and Settings\USER\Desktop\ComboFix . exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\comet . dll C:\WINDOWS\system32\Urncb . dll . ((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 ))))))))))))))))))))))))))))))) . 2008-03-26 12:30 . 2008-03-26 12:30 269,334 --a------ C:\WINDOWS\system32\lknqtkjepsjed . bmp 2008-03-26 12:22 . 2008-03-26 12:22 <DIR> d-------- C:\WINDOWS\ERUNT 2008-03-26 12:15 . 2008-03-26 12:30 <DIR> d-------- C:\SDFix 2008-03-26 12:12 . 2008-03-26 12:12 12 --ah----- C:\WINDOWS\system32\mmax_goog . ini 2008-03-25 16:45 . 2008-03-25 16:45 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-25 16:45 . 2008-03-25 16:45 812,344 --a------ C:\HJTInstall . exe 2008-03-25 14:49 . 2008-03-25 14:49 18,432 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent . ex e 2008-03-20 00:14 . 2008-03-20 00:14 46,080 --a------ C:\WINDOWS\system32\1555cb3216c66d3 . exe 2008-03-20 00:04 . 2008-03-20 00:04 46,080 --a------ C:\WINDOWS\system32\39d46f71653c6dc9 . exe 2008-03-19 23:54 . 2008-03-19 23:54 46,080 --a------ C:\WINDOWS\system32\72f3938485471c2 . exe 2008-03-19 23:44 . 2008-03-19 23:44 46,080 --a------ C:\WINDOWS\system32\1e682b0145114e13 . exe 2008-03-19 23:34 . 2008-03-19 23:34 46,080 --a------ C:\WINDOWS\system32\37e65fa41a16009 . exe 2008-03-19 23:24 . 2008-03-19 23:24 46,080 --a------ C:\WINDOWS\system32\56ea7e4e5a40c9 . exe 2008-03-19 23:14 . 2008-03-19 23:14 46,080 --a------ C:\WINDOWS\system32\611373ca44684957 . exe 2008-03-19 23:04 . 2008-03-19 23:04 46,080 --a------ C:\WINDOWS\system32\7fdd204e27bf4ee9 . exe 2008-03-19 22:54 . 2008-03-19 22:54 46,080 --a------ C:\WINDOWS\system32\571246d67547527d . exe 2008-03-19 22:44 . 2008-03-19 22:44 46,080 --a------ C:\WINDOWS\system32\2a874ddf582154df . exe 2008-03-19 22:34 . 2008-03-19 22:34 46,080 --a------ C:\WINDOWS\system32\41d13b62661b580b . exe 2008-03-19 22:24 . 2008-03-19 22:24 46,080 --a------ C:\WINDOWS\system32\1cc616b1e525cd2 . exe 2008-03-19 22:13 . 2008-03-19 22:13 46,080 --a------ C:\WINDOWS\system32\7ba574e9421c61fb . exe 2008-03-19 22:03 . 2008-03-19 22:03 46,080 --a------ C:\WINDOWS\system32\40036d30653f698e . exe 2008-03-19 21:53 . 2008-03-19 21:53 46,080 --a------ C:\WINDOWS\system32\6a3762998771e8 . exe 2008-03-19 21:43 . 2008-03-19 21:43 46,080 --a------ C:\WINDOWS\system32\17ec337a2bae731a . exe 2008-03-19 21:33 . 2008-03-19 21:33 46,080 --a------ C:\WINDOWS\system32\67a21b0223da7448 . exe 2008-03-19 21:23 . 2008-03-19 21:23 46,080 --a------ C:\WINDOWS\system32\26766b03676b79a6 . exe 2008-03-19 21:13 . 2008-03-19 21:13 46,080 --a------ C:\WINDOWS\system32\28f4138955369f . exe 2008-03-19 21:03 . 2008-03-19 21:03 46,080 --a------ C:\WINDOWS\system32\39e64c55dcc60b7 . exe 2008-03-19 20:53 . 2008-03-19 20:53 46,080 --a------ C:\WINDOWS\system32\6bc720094bd66948 . exe 2008-03-19 20:43 . 2008-03-19 20:43 46,080 --a------ C:\WINDOWS\system32\29baca294b4895 . exe 2008-03-16 15:04 . 2008-03-16 15:04 7,680 --ahs---- C:\WINDOWS\Thumbs . db 2008-03-08 18:42 . 2008-03-08 18:42 <DIR> d-------- C:\Program Files\Net4India 2008-03-08 18:42 . 2008-03-26 12:52 72 --a------ C:\WINDOWS\Net4Connect . INI 2008-03-08 18:41 . 1998-06-17 00:00 929,844 --------- C:\WINDOWS\system32\Mfc42d . dll 2008-03-08 18:41 . 1998-06-17 00:00 798,773 --------- C:\WINDOWS\system32\Mfco42d . dll 2008-03-08 18:41 . 1998-06-17 00:00 516,173 --------- C:\WINDOWS\system32\Msvcp60d . dll 2008-03-08 18:41 . 1998-06-17 00:00 385,100 --------- C:\WINDOWS\system32\Msvcrtd . dll 2008-03-08 18:41 . 1998-06-17 00:00 41,013 --------- C:\WINDOWS\system32\Mfcn42d . dll 2008-03-04 11:18 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1 . SYS 2008-03-04 11:18 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1 . sys 2008-03-03 16:17 . 2008-03-03 16:20 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Winamp 2008-03-03 16:17 . 2007-03-08 05:21 129,784 --------- C:\WINDOWS\system32\pxafs . dll 2008-03-03 16:17 . 2007-03-08 05:21 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k . sys 2008-03-03 16:17 . 2007-03-08 05:21 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp . sys 2008-02-29 11:18 . 2008-02-29 11:18 <DIR> d-------- C:\Program Files\LizardTech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-03-24 05:39 11,774,621 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_03_23_22_26_53 . dmp . zip 2008-03-23 17:11 --------- d-----w C:\Program Files\Folder Lock 2008-03-20 07:10 852,992 ----a-w C:\WINDOWS\Internet Logs\xDB16 . tmp 2008-03-20 07:10 2,101,760 ----a-w C:\WINDOWS\Internet Logs\xDB15 . tmp 2008-03-16 09:19 2,101,760 ----a-w C:\WINDOWS\Internet Logs\xDB14 . tmp 2008-03-16 09:17 2,096,640 ----a-w C:\WINDOWS\Internet Logs\xDB13 . tmp 2008-03-03 10:50 --------- d-----w C:\Program Files\Winamp 2008-03-03 07:50 --------- d-----w C:\Program Files\FlashGet 2008-03-03 06:26 --------- d-----w C:\Program Files\SpywareBlaster 2008-02-29 05:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-27 05:01 1,940,992 ----a-w C:\WINDOWS\Internet Logs\xDB11 . tmp 2008-02-27 05:00 15,360 ----a-w C:\WINDOWS\Internet Logs\xDB12 . tmp 2008-02-26 19:28 1,943,552 ----a-w C:\WINDOWS\Internet Logs\xDBF . tmp 2008-02-26 19:14 1,000,448 ----a-w C:\WINDOWS\Internet Logs\xDB10 . tmp 2008-02-18 10:00 --------- d-----w C:\Program Files\DivX 2008-02-18 09:56 --------- d-----w C:\Program Files\SlySoft 2008-02-18 09:55 --------- d-----w C:\Documents and Settings\USER\Application Data\BeautifulEarth 2008-02-17 10:20 --------- d-sh--r C:\Program Files\Real Spy Monitor 2008-02-09 18:18 841,216 ----a-w C:\WINDOWS\Internet Logs\xDBE . tmp 2008-02-09 18:18 1,852,416 ----a-w C:\WINDOWS\Internet Logs\xDBD . tmp 2008-01-28 04:28 114,688 ----a-w C:\WINDOWS\Internet Logs\xDBC . tmp 2008-01-28 04:28 1,793,536 ----a-w C:\WINDOWS\Internet Logs\xDBB . tmp 2008-01-23 15:18 245,760 ----a-w C:\WINDOWS\Internet Logs\xDBA . tmp 2008-01-23 15:18 1,789,952 ----a-w C:\WINDOWS\Internet Logs\xDB9 . tmp 2008-01-19 09:14 794,624 ----a-w C:\WINDOWS\Internet Logs\xDB8 . tmp 2008-01-19 09:12 1,758,720 ----a-w C:\WINDOWS\Internet Logs\xDB7 . tmp 2008-01-05 10:40 798,720 ----a-w C:\WINDOWS\GPInstall . exe 2007-12-20 00:24 190,976 ----a-w C:\WINDOWS\Internet Logs\xDB6 . tmp 2007-12-20 00:24 1,525,760 ----a-w C:\WINDOWS\Internet Logs\xDB5 . tmp 2007-12-18 20:20 513,536 ----a-w C:\WINDOWS\Internet Logs\xDB4 . tmp 2007-12-18 20:20 1,521,664 ----a-w C:\WINDOWS\Internet Logs\xDB3 . tmp 2007-12-14 19:15 1,563,136 ----a-w C:\WINDOWS\Internet Logs\xDB2 . tmp 2007-12-14 19:15 1,516,032 ----a-w C:\WINDOWS\Internet Logs\xDB1 . tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "VTTimer"="VTTimer . exe" [2006-09-21 17:06 53248 C:\WINDOWS\system32\VTTimer . exe] "S3Trayp"="S3trayp . exe" [2007-08-06 18:49 200704 C:\WINDOWS\system32\S3Trayp . exe] "RTHDCPL"="RTHDCPL . EXE" [2007-08-10 16:21 16384000 C:\WINDOWS\RTHDCPL . exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-05-24 20:03 864256] "GenePccMon . exe"="C:\Program Files\Genesys Logic PC Camera Device\GenePccMon . exe" [2007-09-12 19:48 32768] "ESB"="C:\WINDOWS\system32\ESB . EXE" [2006-05-29 14:40 266240] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe" [2005-04-19 18:06 935688] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched . exe" [2007-11-29 11:02 185784] "WinampAgent"="C:\Program Files\Winamp\winampa . exe" [2008-01-16 04:24 37376] "BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent . ex e" [2008-03-25 14:49 18432] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader . exe . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader . exe . lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader . exe . lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch . lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch . lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil . lnk backup=C:\WINDOWS\pss\BlueSoleil . lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick . lnk backup=C:\WINDOWS\pss\WinZip Quick Pick . lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^DeskPins . lnk] path=C:\Documents and Settings\USER\Start Menu\Programs\Startup\DeskPins . lnk backup=C:\WINDOWS\pss\DeskPins . lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] C:\Program Files\SlySoft\CloneCD\CloneCDTray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2007-11-29 11:02 214448 C:\Program Files\Real\RealPlayer\realplay . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1 . 6 . 0_03\bin\jusched . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-11-29 11:02 185784 C:\Program Files\Common Files\Real\Update_OB\realsched . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2008-01-16 04:24 37376 C:\Program Files\Winamp\winampa . exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr . exe"= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil . exe"= R3 DCamUSBGene;GenesysLogic USB2 . 0 PC Camera;C:\WINDOWS\system32\DRIVERS\usbgene . sys [2007-06-26 14:44] R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm . sys [2007-09-18 14:28] S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv . sys [2006-12-20 16:00] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs cb34336532 sb24640532 . ************************************************** ************************ catchme 0 . 3 . 1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2008-03-26 12:53:17 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . HKLM\Software\Microsoft\Windows\CurrentVersion\Run GenePccMon . exe = C:\Program Files\Genesys Logic PC Camera Device\GenePccMon . exe????????????????????????????? ?????????????????????????????????????????????????? ?????????????????? scanning hidden files . . . disk error: C:\WINDOWS\ ************************************************** ************************ . Completion time: 2008-03-26 12:54:24 ComboFix-quarantined-files . txt 2008-03-26 07:23:32 __________________________________________________ ____________ Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 1:01:51 PM, on 3/26/2008 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\wscntfy . exe C:\WINDOWS\system32\VTTimer . exe C:\WINDOWS\system32\S3trayp . exe C:\WINDOWS\RTHDCPL . EXE C:\Program Files\Synaptics\SynTP\SynTPEnh . exe C:\Program Files\Genesys Logic PC Camera Device\GenePccMon . exe C:\WINDOWS\system32\ESB . EXE C:\Program Files\Common Files\Real\Update_OB\realsched . exe C:\Program Files\Winamp\winampa . exe C:\WINDOWS\system32\BluetoothAuthorizationAgent . ex e C:\WINDOWS\explorer . exe C:\Program Files\Net4India\Net4Connect . exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe C:\WINDOWS\system32\ZoneLabs\vsmon . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO . dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5 . 0\Reader\ActiveX\AcroIEHelper . ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 6 . 0_03\bin\ssv . dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch . dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar . dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin . dll O4 - HKLM\ . . \Run: [VTTimer] VTTimer . exe O4 - HKLM\ . . \Run: [S3Trayp] S3trayp . exe O4 - HKLM\ . . \Run: [RTHDCPL] RTHDCPL . EXE O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe O4 - HKLM\ . . \Run: [GenePccMon . exe] C:\Program Files\Genesys Logic PC Camera Device\GenePccMon . exe O4 - HKLM\ . . \Run: [ESB] C:\WINDOWS\system32\ESB . EXE O4 - HKLM\ . . \Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient . exe O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKLM\ . . \Run: [WinampAgent] "C:\Program Files\Winamp\winampa . exe" O4 - HKLM\ . . \Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent . ex e O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all . htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link . htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_03\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_03\bin\ssv . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR . DLL O9 - Extra button: Real . com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw . dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget . exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O12 - Plugin for . spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox . dll O17 - HKLM\System\CCS\Services\Tcpip\ . . \{D0F61396-ECBB-4A89-B15A-EACFE89765E9}: NameServer = 10 . 24 . 0 . 2,xxx . 71 . xxx . 36 O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService . exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc . exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon . exe -- End of file - 4833 bytes Ready for further instructions! Btw, this pesky wallpaper warning is still there, pic is below . . imagevenue . com/img . php?image=16906_spyware2_122_573lo . jpg" target="_blank">img178 . imagevenue . com	vladmir (13538)
652705	2008-03-26 07:52:00	I mean no Disrespect to Pancake BUT comments like They say "too many cooks spoil the broth", so Pancake, im going to go with you on this one, so automatically i will not follow the instructions of Speedy Gonzales, as helpful as they are im sure Will sure stop any one else offering help or thinking twice about it if pancakes fixes don't work , Not to sure how often Pancake comes here, but other VERY knowledgeable people ( speedy for one) are here a lot - and going so far by the comment Btw, this pesky wallpaper warning is still there, pic is below Means its not fixed. - Combined knowledge of a few is often better than 1 single one. Getting rid of that wall paper shouldn't be to hard. You can try this - right click the Desktop, Properties/ Desktop Tab/ Customize Desktop/ Web Untick "My Current home page" if its selected. you should be able to change the desktop - thats if the bugs are gone.	wainuitech (129)
652706	2008-03-26 11:02:00	I mean no Disrespect to Pancake BUT comments like Will sure stop any one else offering help or thinking twice about it if pancakes fixes don't work , Not to sure how often Pancake comes here, but other VERY knowledgeable people ( speedy for one) are here a lot - and going so far by the comment Means its not fixed. - Combined knowledge of a few is often better than 1 single one. Getting rid of that wall paper shouldn't be to hard. You can try this - right click the Desktop, Properties/ Desktop Tab/ Customize Desktop/ Web Untick "My Current home page" if its selected. you should be able to change the desktop - thats if the bugs are gone. wainuitech, im sure Speedy KNOWS that i didnt mean any disrespect. I have seen frequently told on security forums like castlecops.com, or bleepingcomputer.com, that at one point, only listen to 1 person at a time, preferrably one who is an expert. I am sure about one thing, that I am NOT an expert. So, when i saw Pancake's signature, i see that he is a member of UNITE and ASAP, so he is an expert. And Speedy's good advice hasnt fallen on deaf ears. Uninstall all versions of Sun Java, yours is out of date update is in my sog I would also install an AV program. Try Avast Home, its free. I would also get trojan remover its in my sig. Install and upodate it then click on scan. This will be done, as soon as the matter at hand is solved! Cheers.	vladmir (13538)
652707	2008-03-26 11:18:00	EDIT: Just wanted to add something here.wainuitech, that option was already unchecked. Another little worrying thing, is that this warning, it is a wallpaper, BUT IT IS OF RANDOM NAMES THAT KEEP CHANGING! So, i will shutdown with a different wallpaper, but on reboot, the same warning will come up, with a different random name of the wallpaper. So, some part of the infection is still there, even though, i dont see anything in the HJT, but again, i dont know what i am talking about.	vladmir (13538)
652708	2008-03-26 19:00:00	s EDIT: Just wanted to add something here . wainuitech, that option was already unchecked . Another little worrying thing, is that this warning, it is a wallpaper, BUT IT IS OF RANDOM NAMES THAT KEEP CHANGING! So, i will shutdown with a different wallpaper, but on reboot, the same warning will come up, with a different random name of the wallpaper . So, some part of the infection is still there, even though, i dont see anything in the HJT, but again, i dont know what i am talking about . Just because someone has something in their sig, doesn't mean they know every thing . I do this for a living, and I don't have anything saying I belong to who ever . As I said before I mean no disrespect to Pancake what so ever- but even going by your own comments your PC is still infected . SDfix and combofix are not the full answer - personally I have found they miss LOTS and are only a small part of whats required to clean out the PC . Wasn't that long ago Combofix was actually causing more problems that fixing ( just google it and see the comments) If you look in my sig there are several spyware removers, download and run those as well as a GOOD antivirus program . - you also may need to turn off system restore as the PC is more than likely reinfecting every time you reboot .	wainuitech (129)
652709	2008-03-26 20:13:00	Just a n update to the comments above - That virus is a real nasty to remove, it loads LOOOOOOTS of variants - you need to use a good AV to start with - there is a manual way to remove it, but you will need your XP CD, and time - But first download Super antispyware (http://www . superantispyware . com/) . Install it and run it . Next download Nod32 Trial ( . eset . com/download/index . php" target="_blank">www . eset . com) install it, then go to This Thread ( . pcworld . co . nz/showthread . php?t=87883&page=2" target="_blank">pressf1 . pcworld . co . nz) Post 12, I have listed how to set Nod up . Run A full scan . Turn off system Restore First - Important, because when you reboot it will automatically reinfect . • On the Desktop, right-click My Computer . • Click Properties . • Click the System Restore tab . • Check Turn off System Restore . • Click Apply, and then click OK . • Restart the computer . I'll look back later - as I have work to do .	wainuitech (129)
652710	2008-03-26 21:31:00	Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: Killall:: File:: C:\WINDOWS\system32\lknqtkjepsjed . bmp C:\WINDOWS\system32\mmax_goog . ini C:\WINDOWS\system32\1555cb3216c66d3 . exe C:\WINDOWS\system32\39d46f71653c6dc9 . exe C:\WINDOWS\system32\72f3938485471c2 . exe C:\WINDOWS\system32\1e682b0145114e13 . exe C:\WINDOWS\system32\37e65fa41a16009 . exe C:\WINDOWS\system32\56ea7e4e5a40c9 . exe C:\WINDOWS\system32\611373ca44684957 . exe C:\WINDOWS\system32\7fdd204e27bf4ee9 . exe C:\WINDOWS\system32\571246d67547527d . exe C:\WINDOWS\system32\2a874ddf582154df . exe C:\WINDOWS\system32\41d13b62661b580b . exe C:\WINDOWS\system32\1cc616b1e525cd2 . exe C:\WINDOWS\system32\7ba574e9421c61fb . exe C:\WINDOWS\system32\40036d30653f698e . exe C:\WINDOWS\system32\6a3762998771e8 . exe C:\WINDOWS\system32\17ec337a2bae731a . exe C:\WINDOWS\system32\67a21b0223da7448 . exe C:\WINDOWS\system32\26766b03676b79a6 . exe C:\WINDOWS\system32\28f4138955369f . exe C:\WINDOWS\system32\39e64c55dcc60b7 . exe C:\WINDOWS\system32\6bc720094bd66948 . exe C:\WINDOWS\system32\29baca294b4895 . exe C:\WINDOWS\Thumbs . db Folder:: C:\WINDOWS\Internet Logs Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall*	Pancake (6359)
1 2 3 4