Author Topic: computers getting wacked (Read 459 times)

brave · « **on:** September 05, 2007, 12:20:16 PM »

everythings just getting wierd, msn isnt working right, i cant adjust my clock, computer getting slower
someone take a look at this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:08 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1186352683\ee\aolsoftware.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1186352683\ee\aim6.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Wireless\IEEE802.11b WLAN Cardbus Card\WLCPCCfg.exe
C:\Program Files\fbquick\loader.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\fbquick\fbquick-8\fbquick.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186352683\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: fbquick.lnk = C:\Program Files\fbquick\loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: IEEE802.11b WLAN Cardbus Card Utility.lnk = C:\Program Files\Wireless\IEEE802.11b WLAN Cardbus Card\WLCPCCfg.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170266177694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170992631270
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7375 bytes

guestolo · « **Reply #1 on:** September 05, 2007, 11:39:47 PM »

Let's try the following and see what we find

Download MsnCleaner.zip from here, unzip the contents too desktop but don't use it yet.
If the above link is not working, try the following
http://www.forospyware.com/Msncleaner/MsnCleaner.zip
(Copy/Paste the URL into the address bar or use "Save Target As")

Reboot into Safe mode
In safe mode
* Double-click MsnCleaner_eng.exe to run it.
* Click the Analyze button.
* A report will be created once after you finish scan.
* If it finds an infection, click the Deleted button.
* Now, please reboot back to normal mode.

Back in Normal windows
Do the following
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following

1. Post the log from Combofix
2. Post the contents of C:\MsnCleaner.txt
3. Post a fresh hijackthis log

brave · « **Reply #2 on:** September 06, 2007, 12:45:57 PM »

ComboFix 07-08-30.3 - "Owner" 2007-09-06 13:19:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\bp\Desktop\internet.lnk
C:\Program Files\autorun.inf
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll

((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))

2007-09-06 13:18   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-09-06 13:07   <DIR>   d--------   C:\BackUpMSNCleaner
2007-09-05 13:17   <DIR>   d--------   C:\Program Files\Trend Micro
2007-09-05 13:11   <DIR>   d--------   C:\Program Files\Atomic Clock
2007-09-01 14:14   685   --a------   C:\WINDOWS\eReg.dat
2007-09-01 14:13   <DIR>   d--------   C:\Program Files\EACom
2007-09-01 14:11   <DIR>   d--------   C:\Program Files\Electronic Arts
2007-08-31 18:39   482,816   --a------   C:\WINDOWS\system32GASI.exe
2007-08-31 18:39   402,944   --a------   C:\WINDOWS\system32AKV.exe
2007-08-26 17:53   <DIR>   d--------   C:\DOCUME~1\bp\APPLIC~1\CyberLink
2007-08-22 18:37   <DIR>   d--------   C:\DOCUME~1\bp\APPLIC~1\Media Player Classic
2007-08-22 18:37   <DIR>   d--------   C:\DOCUME~1\bp\APPLIC~1\DivX
2007-08-20 18:05   10,368   ---------   C:\WINDOWS\system32\drivers\iviaspi.sys
2007-08-20 18:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-08-20 18:03   10,368   --a------   C:\WINDOWS\system32\iviaspi.sys
2007-08-20 18:01   <DIR>   d--------   C:\Program Files\Sandisk
2007-08-15 16:19   <DIR>   d--------   C:\Program Files\MSXML 6.0

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-28 10:22   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-08-20 18:04   ---------   d--------   C:\Program Files\Common Files\InstallShield
2007-08-20 18:01   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-08-19 14:59   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\Registry Booster
2007-08-15 16:25   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-05 18:25   ---------   d--------   C:\Program Files\Common Files\AOL
2007-08-05 18:25   ---------   d--------   C:\Program Files\AOD
2007-08-05 18:25   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-05 18:24   ---------   d--------   C:\Program Files\Common Files\aolshare
2007-08-05 18:24   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
2007-07-10 19:23   ---------   d--------   C:\Program Files\Torrent Harvester
2007-07-09 12:07   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\LimeWire
2007-06-26 02:08   1104896   --a------   C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23   1033216   --a------   C:\WINDOWS\explorer.exe
2001-03-02 01:38   3485184   -ra------   C:\Program Files\PROPLUS.MSI
2001-03-02 01:35   306688   -ra------   C:\Program Files\OWC10.MSI
2001-02-21 14:18   7929   --a------   C:\Program Files\README.HTM
2000-06-21 18:46   1499904   --a------   C:\Program Files\INSTMSIW.EXE
2000-06-21 18:46   1489152   --a------   C:\Program Files\INSTMSI.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2003-09-09 04:30 C:\WINDOWS\system32\S3tray2.exe]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 C:\WINDOWS\system32\VTPreset.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-02-15 17:10]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-03-14 04:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"HostManager"="C:\Program Files\Common Files\AOL\1186352683\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"SPSTEALT"="C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" [2007-01-15 18:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 20:24]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
fbquick.lnk - C:\Program Files\fbquick\loader.exe [2007-05-11 23:35:02]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 17:17:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-10-06 20:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SPSTEALT"="C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
"ares"="C:\Program Files\Ares\Ares.exe" -h
"Super Utilities"=C:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"SunServer"=C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"WildTangent CDA"=RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"EssSpkPhone"=essspk.exe
"OutpostFeedBack"=C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
"PCPerf"="C:\PROGRA~1\PCACCE~1\pcperf.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe

R1 cpuenc;cpuenc;\??\C:\Program Files\CPU Eat 'n' Cool\CPUENC.SYS
R1 SandBox;Outpost Firewall Sandbox Driver;\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
R1 VFILT;Outpost Firewall Kernel Driver;\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS
R3 WLCPCLN;IEEE802.11b WLAN Cardbus Card;C:\WINDOWS\system32\DRIVERS\WLCPCNDS.sys
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

Contents of the 'Scheduled Tasks' folder
2007-09-01 01:30:55 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-09-06 14:14:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 13:37:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 13:41:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 13:41

   --- E O F ---

- Logfile MSNCleaner 1.2.9
- Created Logfile: 9/6/2007 on 1:07:28 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1186352683\ee\AOLSoftware.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1186352683\ee\aim6.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Wireless\IEEE802.11b WLAN Cardbus Card\WLCPCCfg.exe
C:\Program Files\fbquick\loader.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\fbquick\fbquick-8\fbquick.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186352683\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: fbquick.lnk = C:\Program Files\fbquick\loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: IEEE802.11b WLAN Cardbus Card Utility.lnk = C:\Program Files\Wireless\IEEE802.11b WLAN Cardbus Card\WLCPCCfg.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170266177694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170992631270
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7208 bytes

brave · « **Reply #3 on:** September 06, 2007, 12:47:09 PM »

combofix changed my clock display thing how do i change it back?

guestolo · « **Reply #4 on:** September 06, 2007, 06:56:24 PM »

[quote name=\'brave\' post=\'385492\' date=\'Sep 6 2007, 10:47 AM\']combofix changed my clock display thing how do i change it back?[/quote]

Don't worry about that right now, usually the clock gets changed back after combofix has finished
If it doesn't change back this time, we will do it manually

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.

Download the latest version of Java Runtime Environment (JRE) 6u2.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (13.90 MB).
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.

- Examples of older versions in Add or Remove Programs:

* Java 2 Runtime Environment, SE v1.4.2
* J2SE Runtime Environment 5.0
* J2SE Runtime Environment 5.0 Update 6

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.

DON'T install the latest version yet

Can you next do the following
If you do have a Usb thumbdrive or flashcard, etc... it may be infected
To be sure, can you ensure you plug it into your computer
If you get an autostart prompt just close it out

Next: Can you temporarily disable NOD32 protection, let's ensure it won't interfere please

Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote

File::
C:\WINDOWS\system32GASI.exe
C:\WINDOWS\system32AKV.exe

Save this as txtfile
CFScript

Take note the pic above
Drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt..
I will need to see this log again later
Reboot the computer

Back in Windows
Go ahead and install Java from the installer on desktop
Next:
Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
At the 'END USER SOFTWARE LICENSE AGREEMENT' select 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Post back the following please

1. Post the report from BitDefender
2. Post the log from Combofix>>C:\Combofix.txt
3. Post one last fresh hijackthis log

Let me know how things are running please

TheTechGuide Forum

News:

Author Topic: computers getting wacked (Read 459 times)

brave

computers getting wacked

guestolo

computers getting wacked

brave

computers getting wacked

brave

computers getting wacked

guestolo

computers getting wacked