Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

New HiJackThis Log - brastk and/or karna?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 4th, 2008, 1:15 pm

Yes it is not there.

But I want you to upload this to Jotti/Virustotal according to my previous instructions :)

c:\windows\system32\DRIVERS\ssfs0bbc.sys
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top
Advertisement
Register to Remove

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 4th, 2008, 1:29 pm

File ssfs0bbc.sys received on 12.04.2008 18:19:13 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.12.5.0 2008.12.04 -
AntiVir 7.9.0.36 2008.12.04 -
Authentium 5.1.0.4 2008.12.04 -
Avast 4.8.1281.0 2008.12.03 -
AVG 8.0.0.199 2008.12.04 -
BitDefender 7.2 2008.12.04 -
CAT-QuickHeal 10.00 2008.12.04 -
ClamAV 0.94.1 2008.12.04 -
DrWeb 4.44.0.09170 2008.12.04 -
eSafe 7.0.17.0 2008.12.04 -
eTrust-Vet 31.6.6243 2008.12.04 -
Ewido 4.0 2008.12.04 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.04 -
Fortinet 3.117.0.0 2008.12.04 -
GData 19 2008.12.04 -
Ikarus T3.1.1.45.0 2008.12.04 -
K7AntiVirus 7.10.543 2008.12.04 -
Kaspersky 7.0.0.125 2008.12.04 -
McAfee 5453 2008.12.03 -
McAfee+Artemis 5453 2008.12.03 -
Microsoft 1.4205 2008.12.04 -
NOD32 3664 2008.12.04 -
Norman 5.80.02 2008.12.04 -
Panda 9.0.0.4 2008.12.04 -
PCTools 4.4.2.0 2008.12.04 -
Prevx1 V2 2008.12.04 -
Rising 21.06.32.00 2008.12.04 -
SecureWeb-Gateway 6.7.6 2008.12.04 -
Sophos 4.36.0 2008.12.04 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.04 -
TheHacker 6.3.1.2.174 2008.12.04 -
TrendMicro 8.700.0.1004 2008.12.04 -
ViRobot 2008.12.4.1500 2008.12.04 -
VirusBuster 4.5.11.0 2008.12.04 -
Additional information
File size: 29808 bytes
MD5...: 1097fe3528c825e54c1d52ed8c0eac0f
SHA1..: 07ecf7a8a831a9fa497da88c43277945407034da
SHA256: ca674051efc90a2ffd6512c013ec6bf265cc4ffe299272dda4124c94b4a722a0
SHA512: f09b110efe707eac74fb30258447af266d52d4533fb0d317235dfdda313c25a9
863d8776b8a55f522aedfe62d94449400134d2c1258495666c06092d68f8ee39

ssdeep: 384:38luNNHPurZEUupgqgEfTbkgTUSxgCF5FcNFgNGCYJLWd6jlYbSopxT:kuNh
u9FgnkgTUOfFXWouLAm6bSof

PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x18005
timedatestamp.....: 0x491b65e2 (Wed Nov 12 23:25:22 2008)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x228a 0x2400 6.15 f61ac67b8234743ebd36a3514aa38f95
.rdata 0x4000 0x405 0x600 3.00 ab78d4acba4dd2e2c707d0d443d962ea
.data 0x5000 0x570 0x400 2.74 f53d25be448882228cfcf3b459cf6cd7
PAGE 0x6000 0x13dd 0x1400 6.21 d6059e79218ca4e05e58e310dc032d42
INIT 0x8000 0x7dc 0x800 5.41 ee251459858802cf2b5cd278b2ba7006
.rsrc 0x9000 0x480 0x600 2.70 b295d2e138a79c0cba2369e245e9a4e0
.reloc 0xa000 0x46a 0x600 4.76 2042c398f3848faafa6d1df21ecd3ba0

( 2 imports )
> ntoskrnl.exe: IoDeleteDevice, IoDetachDevice, wcsncmp, ObQueryNameString, MmGetSystemRoutineAddress, ExDeleteNPagedLookasideList, ObfDereferenceObject, IoGetBaseFileSystemDeviceObject, IoGetDeviceObjectPointer, PsGetVersion, IoRegisterFsRegistrationChange, ExInitializeNPagedLookasideList, InitSafeBootMode, IoDeleteSymbolicLink, IoAttachDeviceToDeviceStackSafe, IoCreateSymbolicLink, memset, IoCreateDevice, RtlQueryRegistryValues, KeDelayExecutionThread, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, IofCallDriver, KeSetEvent, KeWaitForSingleObject, IoFreeWorkItem, IofCompleteRequest, IoQueueWorkItem, IoAllocateWorkItem, KeBugCheckEx, memcpy, ExAllocatePoolWithTag, RtlIntegerToUnicodeString, RtlAppendUnicodeStringToString, RtlInitUnicodeString, ExFreePoolWithTag, KeTickCount, KeInitializeEvent, ZwClose, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwOpenKey, ZwCreateKey, ZwQueryValueKey, ZwSetValueKey, RtlFreeUnicodeString
> HAL.dll: KeReleaseQueuedSpinLock, KeGetCurrentIrql, KfAcquireSpinLock, KfReleaseSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeAcquireQueuedSpinLock

( 0 exports )
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 4th, 2008, 1:46 pm

That looks like to be ok (related to Spy Sweeper).

Unless via add/remove programs:

MalwareRemovalBot

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

Folder::
c:\documents and settings\Sue\Application Data\MalwareRemovalBot
c:\program files\MalwareRemovalBot
c:\documents and settings\Tony\Application Data\MalwareRemovalBot

Driver::
pnicml


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 4th, 2008, 2:28 pm

ComboFix 08-12-03.04 - Tony 2008-12-04 9:53:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.515 [GMT -8:00]
Running from: c:\documents and settings\Tony\Desktop\Gameboy.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sue\Application Data\MalwareRemovalBot
c:\documents and settings\Sue\Application Data\MalwareRemovalBot\Log\2008 Nov 26 - 01_48_51 PM_937.log
c:\documents and settings\Sue\Application Data\MalwareRemovalBot\Log\2008 Nov 30 - 04_32_39 PM_109.log
c:\documents and settings\Sue\Application Data\MalwareRemovalBot\rs.dat
c:\documents and settings\Tony\Application Data\MalwareRemovalBot
c:\documents and settings\Tony\Application Data\MalwareRemovalBot\Log\2008 Dec 02 - 12_54_00 PM_531.log
c:\program files\MalwareRemovalBot
c:\program files\MalwareRemovalBot\DataBase.ref
c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
c:\program files\MalwareRemovalBot\MalwareRemovalBot.url
c:\program files\MalwareRemovalBot\SpyCleaner.dll
c:\program files\MalwareRemovalBot\TCL.dll
c:\program files\MalwareRemovalBot\vistaCPtasks.xml
c:\program files\MalwareRemovalBot\zlib.dll
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNICML
-------\Service_pnicml


((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 10:19 . 2008-12-03 10:33 <DIR> d-------- C:\!KillBox
2008-12-02 10:35 . 2008-12-03 11:51 <DIR> d-------- C:\rsit
2008-12-01 10:51 . 2008-12-01 10:51 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 12:39 . 2008-11-26 12:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-26 12:39 . 2008-11-26 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 13:23 . 2008-11-24 13:23 <DIR> d-------- c:\documents and settings\Administrator.D1PR0F21\Application Data\Share-to-Web Upload Folder
2008-11-24 10:26 . 2003-02-12 12:04 <DIR> d-------- c:\documents and settings\Administrator.D1PR0F21\Application Data\Roxio
2008-11-24 10:26 . 2008-11-24 10:26 <DIR> d-------- c:\documents and settings\Administrator.D1PR0F21
2008-11-21 14:48 . 2008-11-21 14:48 <DIR> d-------- C:\Binaries
2008-11-21 14:42 . 2008-11-21 14:42 <DIR> d-------- c:\program files\Webroot
2008-11-21 14:42 . 2008-11-21 14:42 <DIR> d-------- c:\documents and settings\Tony\Application Data\Webroot
2008-11-21 14:42 . 2008-11-25 11:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-11-21 14:42 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-12 16:02 . 2008-11-12 16:02 170,608 --a------ c:\windows\SYSTEM32\DRIVERS\ssidrv.sys
2008-11-12 16:02 . 2008-11-12 16:02 29,808 --a------ c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys
2008-11-12 16:02 . 2008-11-12 16:02 23,152 --a------ c:\windows\SYSTEM32\DRIVERS\sshrmd.sys
2008-11-12 15:40 . 2008-11-12 15:40 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-09 19:09 . 2008-11-09 19:09 <DIR> d-------- c:\windows\.jagex_cache_32
2008-11-09 19:09 . 2008-11-13 20:09 30 --a------ c:\documents and settings\Tony\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 16:50 --------- d-----w c:\program files\McAfee
2008-11-05 17:57 --------- d-----w c:\documents and settings\Tony\Application Data\AdobeUM
2008-11-01 17:55 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-27 04:44 --------- d-----w c:\documents and settings\Tony\Application Data\Image Zone Express
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 19:19 --------- d-----w c:\documents and settings\Tony\Application Data\Move Networks
2008-10-16 17:30 --------- d-----w c:\program files\iTunes
2008-10-16 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 17:29 --------- d-----w c:\program files\iPod
2008-10-13 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-18 05:04 2,256 ----a-w c:\windows\current_settings.bin
2008-09-16 22:31 97,632 ----a-w c:\documents and settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
2008-09-10 05:20 94,208 ----a-w c:\windows\MXOALDR.EXE
2008-08-27 03:24 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-02 18:52 87,832 ----a-w c:\documents and settings\Sue\Application Data\GDIPFONTCACHEV1.DAT
2008-04-02 15:25 319 ---ha-w c:\documents and settings\Sue\hpothb07.dat
2007-08-16 23:37 96,184 -c--a-w c:\documents and settings\Andie\Application Data\GDIPFONTCACHEV1.DAT
2006-11-13 17:04 0 ----a-w c:\documents and settings\Christina\DesktopDoctor1.5.1.exe
2006-09-25 02:59 0 ----a-w c:\documents and settings\Sue\DesktopDoctor1.5.1.exe
2005-11-25 20:42 0 ----a-w c:\documents and settings\Andie\DesktopDoctor1.0.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_12.56.49.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-03 19:58:46 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-12-04 16:26:30 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-12-03 19:58:46 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-12-04 16:26:30 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-12-03 19:58:46 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-12-04 16:26:30 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-03-25 684032]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-03-29 794112]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-06-22 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Music Now"="c:\program files\Music Now\MusicNow.exe" [2006-08-23 913016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-03-20 442499]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2008-09-09 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"nwiz"="nwiz.exe" [2005-08-02 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\Tony\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-05-27 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-02-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" [2008-11-21 1086840]
R3 OA002Afx;Provides a software interface to control audio effects of OA002 camera.;\??\c:\windows\system32\Drivers\OA002Afx.sys [2008-07-31 148056]
R3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\DRIVERS\OA002Ufd.sys [2008-07-31 142432]
R3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\DRIVERS\OA002Vid.sys [2008-07-31 265568]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-07-31 31616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-09 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (1) (D1PR0F21-Tony).job
- c:\progra~1\mcafee.com\vso\mcmnhdlr.exe []

2006-08-01 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-03 23:56]

2006-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-04 c:\windows\Tasks\User_Feed_Synchronization-{2FACE13A-C328-4F57-9E48-58DDA4EF5DAF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/a/
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = iexplore

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\5al16tks.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 10:05:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-12-04 10:13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 18:12:52
ComboFix2.txt 2008-12-03 20:58:33

Pre-Run: 19,464,101,888 bytes free
Post-Run: 19,429,605,376 bytes free

230 --- E O F --- 2008-11-21 23:18:24


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:16 AM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Music Now] C:\Program Files\Music Now\MusicNow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://support.dell.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10415 bytes
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 4th, 2008, 2:31 pm

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 4th, 2008, 11:29 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 16:03:39
Records in database: 1436568
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 144224
Threat name: 11
Infected objects: 11
Suspicious objects: 6
Duration of the scan: 03:29:41


File name / Threat name / Threats count
C:\!KillBox\( 3) Infected: Rootkit.Win32.Clbd.lc 1
C:\!KillBox\( 4) Infected: Backdoor.Win32.TDSS.atb 1
C:\!KillBox\( 5) Infected: Backdoor.Win32.TDSS.asz 1
C:\!KillBox\( 7) Infected: Backdoor.Win32.TDSS.blh 1
C:\!KillBox\( 8) Infected: Backdoor.Win32.TDSS.bkw 1
C:\Documents and Settings\Tony\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Home PC.dbx Infected: Email-Worm.Win32.Gibe.b 1
C:\Documents and Settings\Tony\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.r 1
C:\Documents and Settings\Tony\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Mht 2
C:\Documents and Settings\Tony\My Documents\hijackthis_2.log Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\Tony\My Documents\Temp\hijackthis_081201.log Suspicious: Exploit.HTML.Mht 1
C:\Program Files\Trend Micro\HijackThis\HiJackThis\hijackthis_081202.log Suspicious: Exploit.HTML.Mht 1
C:\Qoobox\Quarantine\C\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe.vir Infected: not-a-virus:FraudTool.Win32.AntiSpyWare2008.ai 1
C:\Qoobox\Quarantine\C\Program Files\MalwareRemovalBot\_SpyCleaner_.dll.zip Infected: not-a-virus:FraudTool.Win32.SpywareStop.jq 1
C:\rsit\newlog.txt Suspicious: Exploit.HTML.Mht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000136.exe Infected: not-a-virus:FraudTool.Win32.AntiSpyWare2008.ai 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000218.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1

The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:28 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Music Now] C:\Program Files\Music Now\MusicNow.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://support.dell.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10412 bytes
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 5th, 2008, 5:14 am

Looks good :)

These are false positives:

C:\Documents and Settings\Tony\My Documents\hijackthis_2.log Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\Tony\My Documents\Temp\hijackthis_081201.log Suspicious: Exploit.HTML.Mht 1
C:\Program Files\Trend Micro\HijackThis\HiJackThis\hijackthis_081202.log Suspicious: Exploit.HTML.Mht 1
C:\rsit\newlog.txt Suspicious: Exploit.HTML.Mht 1

Empty these folders:

C:\!KillBox
C:\Qoobox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 5th, 2008, 12:30 pm

I emptied those folders. No apparent problems any longer.
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 5th, 2008, 1:14 pm

Great :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 11.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

You can delete rsit and c:\rsit folder

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 5th, 2008, 1:26 pm

Thanks for getting my PC clean! I am experiencing a problem (error - that's all it says) downloading JavaRa. Any other sites for download?
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby raktball » December 5th, 2008, 1:29 pm

Nevermind - 2nd attempt successful
raktball
Regular Member
 
Posts: 23
Joined: November 24th, 2008, 3:14 pm
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 5th, 2008, 1:36 pm

Glad to hear that it sorted out :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top

Re: New HiJackThis Log - brastk and/or karna?

Unread postby Shaba » December 6th, 2008, 6:19 am

raktball this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Top
Advertisement
Register to Remove
Previous
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 137 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index