Author Topic: PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal (Read 3070 times)

BobStein · « **Reply #20 on:** March 12, 2010, 08:03:39 PM »

(Sorry you had to repost that, I should have said I was doing a ComboFix.)

comres.dll is detected again! But it is not present, not even as a hidden or system file.

Code: [Select]

C:\WINNT\system32>dir comr*.* /a
 Volume in drive C has no label.
 Volume Serial Number is C806-C8E3

 Directory of C:\WINNT\system32

09/05/2005  03:18			   97,552 comrepl.dll
			   1 File(s)		 97,552 bytes
			   0 Dir(s)  49,372,233,728 bytes free

C:\WINNT\system32>

ComboFix3.txt

ComboFix 10-03-12.02 - Administrator 03/12/2010 19:02:56.3.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.688 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 00:02 . 2010-03-13 00:02 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_36c.dat
2010-03-12 20:05 . 2010-03-12 20:05 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_260.dat
2010-03-09 02:24 . 2010-03-09 02:24 -------- d-----w- c:\program files\ESET
2010-03-08 16:10 . 2003-06-19 19:05 46992 -c--a-w- c:\winnt\system32\dllcache\i8042prt.sys
2010-03-08 16:10 . 2003-06-19 19:05 46992 ----a-w- c:\winnt\system32\drivers\i8042prt.sys
2010-03-08 16:10 . 2003-06-19 19:05 21776 -c--a-w- c:\winnt\system32\dllcache\mouclass.sys
2010-03-08 16:10 . 2003-06-19 19:05 21776 ----a-w- c:\winnt\system32\drivers\mouclass.sys
2010-03-08 16:10 . 2009-01-07 22:57 27784 ----a-w- c:\winnt\system32\drivers\point32.sys
2010-03-08 16:10 . 2010-03-08 16:10 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-03-08 02:10 . 2010-03-08 02:10 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-08 02:10 . 2010-03-08 02:10 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-08 02:10 . 2010-03-08 02:10 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-08 02:10 . 2010-03-08 02:10 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-08 02:00 . 2010-03-12 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-08 02:00 . 2010-03-08 02:00 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-08 01:58 . 2010-03-08 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-05 04:11 . 2010-03-05 04:11 -------- d-----w- c:\program files\Trend Micro
2010-03-05 03:30 . 2010-03-05 15:21 -------- d-----w- c:\program files\a-squared Anti-Malware
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-05 03:14 . 2010-03-05 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 06:00 . 2010-03-04 06:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-03-04 05:51 . 2010-03-04 05:51 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-04 05:51 . 2010-03-04 05:51 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-04 05:35 . 2009-03-24 20:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-03-04 05:20 . 2010-03-04 05:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-26 05:58 . 2010-02-26 02:24 634104 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-02-26 05:58 . 2010-02-26 02:24 797904 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-23 12:11 . 2010-02-23 12:11 726008 ----a-w- c:\documents and settings\Administrator\gotomypc_438.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-12 21:32 . 2009-11-05 08:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-03-12 18:34 . 2009-11-25 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-12 18:25 . 2009-11-25 23:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-09 00:57 . 2009-11-11 17:52 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-04 05:51 . 2009-11-11 03:55 -------- d-----w- c:\program files\Java
2010-03-02 13:30 . 2009-11-07 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-01-29 05:55 . 2009-11-10 23:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-01-20 14:28 . 2009-11-17 12:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2010-01-15 19:46 . 2009-11-06 06:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-28 13:03 . 2009-11-04 21:52 319760 ----a-w- c:\winnt\system32\MSPAINT.EXE
2009-12-18 16:19 . 2009-12-23 01:00 545280 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\PicLensHelper.exe
2009-12-18 16:19 . 2009-12-23 01:00 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\LaunchCooliris.exe
2009-12-18 16:19 . 2009-12-23 01:00 153600 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
2009-12-18 16:19 . 2009-12-23 01:00 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\pixomatic.dll
2009-12-18 16:19 . 2009-12-23 01:00 57856 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\components\coolirisstub.dll
2009-12-18 16:19 . 2009-12-23 01:00 4726272 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\cooliris190.dll
2009-12-16 21:25 . 2009-12-16 21:25 576512 ------w- c:\winnt\system32\WININET.DLL
2009-12-14 07:10 . 2002-08-09 16:07 35088 ----a-w- c:\winnt\system32\CSRSRV.DLL
2009-11-04 21:54 . 2009-11-04 21:54 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-08_21.54.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 00:16 . 2010-03-02 05:30 31648712 c:\winnt\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-05-02 122965]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-17 185896]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-11-4 910296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\eudora\EuShlExt.dll" [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [10/14/2009 21:18 36880]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [12/11/2009 11:50 64288]
R0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [11/17/2009 07:22 28552]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [04/10/2002 17:00 356651]
R1 crlscsi;crlscsi;c:\winnt\system32\drivers\crlscsi.sys [11/20/2009 11:10 6144]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [10/02/2009 19:39 18448]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [08/09/2002 11:13 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [11/04/2009 18:13 49776]
R3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [11/04/2009 11:34 602128]
S0 IntelATA;Intel Ultra ATA Controller;c:\winnt\system32\drivers\IntelAta.sys [11/04/2009 22:18 79106]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90Xbc5.SYS [11/04/2009 22:32 73824]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/24/2009 06:17 1184912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-12 c:\winnt\Tasks\daily.job
- c:\visibone\stats\daily.bat [2009-11-06 13:24]

2010-02-27 c:\winnt\Tasks\weekly.job
- c:\visibone\stats\weekly.bat [2009-11-06 18:17]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.visibone.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-12 19:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(220)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(508)
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2010-03-12 19:13:51
ComboFix-quarantined-files.txt 2010-03-13 00:13
ComboFix2.txt 2010-03-09 02:14
ComboFix3.txt 2010-03-08 22:00

Pre-Run: 49,277,267,968 bytes free
Post-Run: 49,345,789,952 bytes free

- - End Of File - - 076659082A057DBCC9D810529A345892

guestolo · « **Reply #21 on:** March 12, 2010, 10:18:31 PM »

I have a copy of Windows 2000 SP4 installed on one of my machines, and it is a clean machine
Ran a scan with ComboFix on it and came up with the following

Quote

d:\winnt\system32\comres.dll . . . is infected!!

------- Sigcheck -------

[-] 2002-11-27 02:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . d:\winnt\system32\mspmsnsv.dll

We can almost bet it's a false positive with ComboFix and Windows 2000

Besides that, how is everything running?
What do you run for Firewall software on your computer?

BobStein · « **Reply #22 on:** March 13, 2010, 12:19:10 AM »

Oh wow.

Everything seems to be running great. All the symptoms disappeared after the FIXMBR March 7th.

I ran the firewall procedure here. What would you recommend? Google turns up ZoneAlarm?

guestolo · « **Reply #23 on:** March 13, 2010, 06:10:11 PM »

Can you run a fresh Scan and save logfile with Hijackthis and post the new log that opens
Just to get me back up to speed where your at right now

BobStein · « **Reply #24 on:** March 18, 2010, 12:37:37 PM »

[quote name=\'guestolo\' post=\'468416\' date=\'Mar 13 2010, 07:10 PM\']Can you run a fresh Scan and save logfile with Hijackthis and post the new log that opens
Just to get me back up to speed where your at right now[/quote]

Sure! Thanks, sorry for my delay.

HjackThis 2.02 log

Code: [Select]

 Logfile of Trend Micro HijackThis v2.0.2
 Scan saved at 13:34:22, on 03/18/2010
 Platform: Windows 2000 SP4 (WinNT 5.00.2195)
 MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 Boot mode: Normal
 
 Running processes:
 C:\WINNT\System32\smss.exe
 C:\WINNT\system32\winlogon.exe
 C:\WINNT\system32\services.exe
 C:\WINNT\system32\lsass.exe
 C:\WINNT\system32\Ati2evxx.exe
 C:\WINNT\system32\svchost.exe
 C:\WINNT\system32\spoolsv.exe
 C:\WINNT\System32\svchost.exe
 C:\WINNT\system32\hidserv.exe
 C:\Program Files\Java\jre6\bin\jqs.exe
 C:\WINNT\System32\svchost.exe
 C:\WINNT\System32\svchost.exe
 C:\WINNT\system32\regsvc.exe
 C:\WINNT\system32\MSTask.exe
 C:\WINNT\system32\stisvc.exe
 C:\WINNT\System32\WBEM\WinMgmt.exe
 C:\WINNT\system32\svchost.exe
 C:\WINNT\system32\Ati2evxx.exe
 C:\WINNT\Explorer.EXE
 C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
 C:\Program Files\Java\jre6\bin\jusched.exe
 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
 C:\Eudora\Eudora.exe
 C:\Program Files\Mozilla Firefox\firefox.exe
 C:\WINNT\system32\cmd.exe
 C:\WINNT\system32\ntvdm.exe
 C:\WINNT\system32\taskmgr.exe
 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 C:\Program Files\Winamp\winamp.exe
 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
 O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
 O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
 O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
 O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
 O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
 O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
 O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
 O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
 O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
 O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
 O4 - Startup: Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
 O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258743311109
 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
 O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
 O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
 O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
 O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
 O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
 O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe
 
 --
 End of file - 6365 bytes

guestolo · « **Reply #25 on:** March 20, 2010, 01:19:59 PM »

You have some items that don't really need to run on startup
Your option, you may do the following

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Properly uninstall ComboFix, Go to START>>RUN
copy/paste the following

ComboFix /uninstall

Hit OK, if you get an error prompt, just click on OK and let the uninstall continue

Open OTL.exe and click on the CLEANUP button
Follow the prompts, reboot the computer when prompted

Back in Windows, you should add a Software firewall to this computer
A great basic one that is free is Outpost Firewall
Here's a link,
http://download.cnet.com/Agnitum-Outpost-F...&tag=button

I would also add SpywareBlaster to your set of protection software
it does not run in the background but helps to silently protect your system

SpywareBlaster by JavaCool
At the link you can read more about it if you like then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
IMPORTANT>>"Check for updates every couple of weeks or so"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

TheTechGuide Forum

News:

Author Topic: PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal (Read 3070 times)

BobStein

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal

guestolo

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal

BobStein

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal

guestolo

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal

BobStein

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal

guestolo

PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal