1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Pesky Trojan [HJT log]

Discussion in 'Malware and Virus Removal Archive' started by mtaffer, 2006/10/20.

  1. 2006/10/20
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    Hey all,

    I have a client that has a virus/malware on her pc that I cannot get rid of. It first showed up as a file named exmodul32.e.f.exe, and is continually replicating itself with a different number attached to the front like 12, 1, etc. It has shown up as Proxy.Horst.Gen on some scans. BitDefender is blocking it, but the quarantine is growing exponentially.

    Here is the HiJack This log. Can you guys help?

    Logfile of HijackThis v1.99.1
    Scan saved at 1:58:06 PM, on 10/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
    C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
    C:\Program Files\Softwin\BitDefender8\bdnagent.exe
    C:\Program Files\Softwin\BitDefender8\bdmcon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Softwin\BitDefender8\vsserv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\mcleod\deployed\bin\DeployClient.exe
    C:\Program Files\Java\jre1.5.0_03\bin\java.exe
    C:\Program Files\Java\jre1.5.0_03\bin\LME - LME Dev(TMS).exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\DOCUME~1\monicag\LOCALS~1\Temp\82exinjs.j.exe
    C:\Documents and Settings\monicag\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
    O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe "
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
    O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
    O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

    Thanks in advance guys... :)

    mtaffer
     
    mtaffer,
    #1
  2. 2006/10/20
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    You have a nasty bot on that system and here is how we go about removing it.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2006/10/20
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    Thanks for your help, here is the followup log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:01:38 PM, on 10/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
    C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender8\vsserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
    C:\Program Files\Softwin\BitDefender8\bdnagent.exe
    C:\Program Files\Softwin\BitDefender8\bdmcon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\monicag\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
    O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe "
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

    And here is the logfile from the sdfix

    SDFix: Version 1.30
    -------------------

    Scan run on:
    Fri 10/20/2006

    Time:
    04:29 PM

    Thanks again for all your help! :)

    mtaffer
    Microsoft Windows XP [Version 5.1.2600]

    Running from: C:\Documents and Settings\administrator.MCLEOD\Desktop\SDFix

    Stage One...

    Checking Services...

    Name:
    -----

    Windows Log

    Path:
    ----

    C:\WINDOWS\system32\nvsvcd.exe

    Windows Log ... deleted

    Repairing Registry...

    Restoring Default Hosts File...

    Stage One Complete

    Rebooting!

    Stage Two...

    Checking For Malware Files:
    --------------------------

    C:\WINDOWS\system\smss.exe
    C:\WINDOWS\system32\nvsvcd.exe

    Backing Up and Removing any Files Found...

    Final Check:

    Services:
    ---------

    Files:
    ------



    *Any removed Files are saved in the SDFix\backups Folder*

    *FINISHED*
     
    mtaffer,
    #3
  5. 2006/10/21
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, that looks good, but lets also get a couple more logs to double check things.

    Download combofix.exe
    • Double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Then give me a start up list with HJT:
    Open HJT, click the 'None of the above, just start the program' button.
    Then click the 'Config' button in the lower right hand of the program.
    Then select the 'Misc Tools' button.
    In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when promted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.
     
    TeMerc,
    #4
  6. 2006/10/23
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    It's back Combo posting

    Hey there, thanks again for all your help! :)

    I checked this morning and the virus seems to still be replicating itself. BitDefender keeps quarantining any new copies it makes in the user info/temp folder. I ran the programs you requested and here are the logs.

    Thanks Again.

    ComboFix Log

    monicag - 06-10-23 8:31:18.80 Service Pack 2
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\monicag\Desktop "

    ((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))


    No new files created in this timespan


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-10-23 08:22 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-10-20 09:19 -------- d---s---- C:\Documents and Settings\monicag\Application Data\Microsoft
    2006-10-19 09:13 -------- d-------- C:\Documents and Settings\monicag\Application Data\Macromedia
    2006-10-19 08:55 -------- d-------- C:\Program Files\WebEx
    2006-10-19 08:43 -------- d-------- C:\Documents and Settings\monicag\Application Data\Mozilla
    2006-10-18 17:22 -------- d-------- C:\Documents and Settings\monicag\Application Data\MvPCinfo
    2006-10-18 16:42 -------- d-------- C:\Program Files\Microsoft Visual Studio
    2006-10-18 14:40 -------- d-------- C:\Program Files\Online Services
    2006-10-18 14:12 73728 --a------ C:\WINDOWS\system32\sockspy.dll
    2006-10-18 14:00 -------- d-------- C:\Program Files\Java
    2006-10-18 13:57 -------- d-------- C:\Program Files\Lavasoft
    2006-10-18 13:56 -------- d-------- C:\Program Files\Spark
    2006-10-18 13:54 -------- d-------- C:\Program Files\Softwin
    2006-10-18 13:54 -------- d-------- C:\Program Files\Common Files\Softwin
    2006-10-18 13:47 -------- d-------- C:\Program Files\Common Files
    2006-10-18 13:39 -------- d-------- C:\Program Files\AniTa
    2006-10-18 13:15 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-10-18 13:13 -------- d-------- C:\Program Files\MUSICMATCH
    2006-10-18 13:08 -------- d-------- C:\Documents and Settings\monicag\Application Data\Gtek
    2006-10-18 13:07 -------- d-------- C:\Program Files\Dell
    2006-10-18 13:07 -------- d-------- C:\Program Files\Common Files\Sonic Shared
    2006-10-18 13:03 -------- d-------- C:\Program Files\Common Files\AOL
    2006-09-22 10:33 -------- d-------- C:\Program Files\Cisco Systems
    2006-09-22 09:12 32768 --a------ C:\WINDOWS\system32\stcevent.dll
    2006-09-21 11:28 -------- d-------- C:\Program Files\Common Files\Adobe
    2006-09-20 11:07 -------- d-------- C:\Program Files\Citrix


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "igfxtray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
    "igfxhkcmd "= "C:\\WINDOWS\\system32\\hkcmd.exe "
    "igfxpers "= "C:\\WINDOWS\\system32\\igfxpers.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe "
    "RealTray "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "ISUSPM Startup "= "\ "c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup "
    "ISUSScheduler "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
    "DLA "= "C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE "
    "BDOESRV "= "\ "C:\\Program Files\\Softwin\\BitDefender8\\bdoesrv.exe\" "
    "BDNewsAgent "= "\ "C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\" "
    "BDMCon "= "\ "C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\" "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
    "{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "NoWindowsUpdate "=dword:00000001
    "ForceStartMenuLogOff "=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername "=dword:00000001
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001
    "disablecad "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning "=dword:00000000

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

    Completion time: 06-10-23 8:31:44.65
    C:\ComboFix.txt ... 06-10-23 08:31

    HijackThis log in separate post due to space limitation...
     
    mtaffer,
    #5
  7. 2006/10/23
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    It's back Hijackthis posting

    Here is the results from the HijackThis startup log as requested:

    HijackThis Log

    rotocol #11: C:\WINDOWS\system32\mswsock.dll
    StartupList report, 10/23/2006, 8:35:44 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\monicag\Desktop\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
    C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
    C:\Program Files\Softwin\BitDefender8\bdnagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\program files\common files\installshield\updateservice\isuspm.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender8\vsserv.exe
    C:\Documents and Settings\monicag\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\monicag\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Digital Line Detect.lnk = ?

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    igfxtray = C:\WINDOWS\system32\igfxtray.exe
    igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
    igfxpers = C:\WINDOWS\system32\igfxpers.exe
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ISUSPM Startup = "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    BDOESRV = "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
    BDNewsAgent = "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe "
    BDMCon = "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    [{8b15971b-5355-4c82-8c07-7e181ea07608}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=sockspy.dll

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll

    This part of the listing...file length restrictions are forcing me to put this in two posts. :(
     
    mtaffer,
    #6
  8. 2006/10/23
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    It's back HijackThis post 2

    Here is the rest of the log...sorry to have to break it up.

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    abp480n5: \SystemRoot\system32\DRIVERS\ABP480N5.SYS (disabled)
    Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
    adpu160m: \SystemRoot\system32\DRIVERS\adpu160m.sys (disabled)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD: \SystemRoot\System32\drivers\afd.sys (system)
    Intel AGP Bus Filter: \SystemRoot\system32\DRIVERS\agp440.sys (disabled)
    Compaq AGP Bus Filter: \SystemRoot\system32\DRIVERS\agpCPQ.sys (disabled)
    Aha154x: \SystemRoot\system32\DRIVERS\aha154x.sys (disabled)
    aic78u2: \SystemRoot\system32\DRIVERS\aic78u2.sys (disabled)
    aic78xx: \SystemRoot\system32\DRIVERS\aic78xx.sys (disabled)
    Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    AliIde: \SystemRoot\system32\DRIVERS\aliide.sys (disabled)
    ALI AGP Bus Filter: \SystemRoot\system32\DRIVERS\alim1541.sys (disabled)
    AMD AGP Bus Filter Driver: \SystemRoot\system32\DRIVERS\amdagp.sys (disabled)
    amsint: \SystemRoot\system32\DRIVERS\amsint.sys (disabled)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    asc: \SystemRoot\system32\DRIVERS\asc.sys (disabled)
    asc3350p: \SystemRoot\system32\DRIVERS\asc3350p.sys (disabled)
    asc3550: \SystemRoot\system32\DRIVERS\asc3550.sys (disabled)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
    BitDefender Local Manager: "C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (autostart)
    BitDefender Scan Server: "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    cbidf: \SystemRoot\system32\DRIVERS\cbidf2k.sys (disabled)
    cd20xrnt: \SystemRoot\system32\DRIVERS\cd20xrnt.sys (disabled)
    CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    CmdIde: \SystemRoot\system32\DRIVERS\cmdide.sys (disabled)
    COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cpqarray: \SystemRoot\system32\DRIVERS\cpqarray.sys (disabled)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Cisco Systems SSL VPN Adapter: system32\DRIVERS\CSVirtA.sys (manual start)
    dac2w2k: \SystemRoot\system32\DRIVERS\dac2w2k.sys (disabled)
    dac960nt: \SystemRoot\system32\DRIVERS\dac960nt.sys (disabled)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Disk Driver: system32\DRIVERS\disk.sys (system)
    DLABOIOM: System32\DLA\DLABOIOM.SYS (autostart)
    DLACDBHM: System32\Drivers\DLACDBHM.SYS (system)
    DLADResN: System32\DLA\DLADResN.SYS (autostart)
    DLAIFS_M: System32\DLA\DLAIFS_M.SYS (autostart)
    DLAOPIOM: System32\DLA\DLAOPIOM.SYS (autostart)
    DLAPoolM: System32\DLA\DLAPoolM.SYS (autostart)
    DLARTL_N: System32\Drivers\DLARTL_N.SYS (system)
    DLAUDFAM: System32\DLA\DLAUDFAM.SYS (autostart)
    DLAUDF_M: System32\DLA\DLAUDF_M.SYS (autostart)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
    dpti2o: \SystemRoot\system32\DRIVERS\dpti2o.sys (disabled)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    DRVMCDB: System32\Drivers\DRVMCDB.SYS (system)
    DRVNDDM: System32\Drivers\DRVNDDM.SYS (autostart)
    Intel(R) PRO Network Connection Driver: system32\DRIVERS\e100b325.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Fax: %systemroot%\system32\fxssvc.exe (autostart)
    Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
    FILESpy: \??\C:\Program Files\Softwin\BitDefender8\filespy.sys (autostart)
    Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\DRIVERS\fltMgr.sys (system)
    Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
    Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
    Microsoft UAA Bus Driver for High Definition Audio: system32\DRIVERS\HDAudBus.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
    hpn: \SystemRoot\system32\DRIVERS\hpn.sys (disabled)
    HSFHWBS2: system32\DRIVERS\HSFHWBS2.sys (manual start)
    HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i2omp: \SystemRoot\system32\DRIVERS\i2omp.sys (disabled)
    i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
    ialm: system32\DRIVERS\ialmnt5.sys (manual start)
    CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
    ini910u: \SystemRoot\system32\DRIVERS\ini910u.sys (disabled)
    IntelIde: system32\DRIVERS\intelide.sys (system)
    Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
    IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
    IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: system32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    BitDefender Enterprise Update Service: "C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
    mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
    Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
    Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
    Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
    mraid35x: \SystemRoot\system32\DRIVERS\mraid35x.sys (disabled)
    WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
    Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\system32\lsass.exe (autostart)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Intel NCS NetService: C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (manual start)
    Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: system32\DRIVERS\nv4_mini.sys (manual start)
    IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
    Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
    Parallel port driver: system32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: system32\DRIVERS\pci.sys (system)
    PCIIde: system32\DRIVERS\pciide.sys (system)
    perc2: \SystemRoot\system32\DRIVERS\perc2.sys (disabled)
    perc2hib: \SystemRoot\system32\DRIVERS\perc2hib.sys (disabled)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
    WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    ql1080: \SystemRoot\system32\DRIVERS\ql1080.sys (disabled)
    Ql10wnt: \SystemRoot\system32\DRIVERS\ql10wnt.sys (disabled)
    ql12160: \SystemRoot\system32\DRIVERS\ql12160.sys (disabled)
    ql1240: \SystemRoot\system32\DRIVERS\ql1240.sys (disabled)
    ql1280: \SystemRoot\system32\DRIVERS\ql1280.sys (disabled)
    Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
    Rdbss: system32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
    REGSpy: \??\C:\Program Files\Softwin\BitDefender8\regspy.sys (autostart)
    Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: system32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
    Serial port driver: system32\DRIVERS\serial.sys (system)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SIS AGP Bus Filter: \SystemRoot\system32\DRIVERS\sisagp.sys (disabled)
    Sparrow: \SystemRoot\system32\DRIVERS\sparrow.sys (disabled)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Srv: system32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    SigmaTel High Definition Audio CODEC: system32\drivers\sthda.sys (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
    Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{2F130D52-0BDB-47EB-AF81-1E09BA7E21E7} (manual start)
    symc810: \SystemRoot\system32\DRIVERS\symc810.sys (disabled)
    symc8xx: \SystemRoot\system32\DRIVERS\symc8xx.sys (disabled)
    sym_hi: \SystemRoot\system32\DRIVERS\sym_hi.sys (disabled)
    sym_u3: \SystemRoot\system32\DRIVERS\sym_u3.sys (disabled)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\system32\tlntsvr.exe (manual start)
    TosIde: \SystemRoot\system32\DRIVERS\toside.sys (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    ultra: \SystemRoot\system32\DRIVERS\ultra.sys (disabled)
    Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
    Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
    USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP Bus Filter: \SystemRoot\system32\DRIVERS\viaagp.sys (disabled)
    ViaIde: \SystemRoot\system32\DRIVERS\viaide.sys (disabled)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    BitDefender Virus Shield: "C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (autostart)
    Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
    WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BitDefender Communicator: "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 35,681 bytes
    Report generated in 0.187 seconds

    Thanks again, this seems to be a very difficult thing to get rid of...
     
    mtaffer,
    #7
  9. 2006/10/23
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    We need to see a fresh HJT log too...thanks.

    Also, please tell me the exact path which is indicated the new virus is,
     
    TeMerc,
    #8
  10. 2006/10/23
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    new log

    This is the path where the virus is replicating...

    C:\Documents and Settings\monicag\Local Settings\Temp

    Here is the new hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:52:05 AM, on 10/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
    C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
    C:\Program Files\Softwin\BitDefender8\bdnagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\program files\common files\installshield\updateservice\isuspm.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender8\vsserv.exe
    C:\mcleod\deployed\bin\DeployClient.exe
    C:\Program Files\Java\jre1.5.0_03\bin\java.exe
    C:\Program Files\Java\jre1.5.0_03\bin\LME - LME Dev(TMS).exe
    C:\Program Files\WebEx\Record Playback\atauthor.exe
    C:\Program Files\Microsoft Visual Studio\VSS\win32\SSEXP.EXE
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Documents and Settings\monicag\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
    O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe "
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

    Thanks again for all your help. :)

    mtaffer
     
    mtaffer,
    #9
  11. 2006/10/23
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, those logs appear clear but the regeneration causes me some pause.

    Lets clean out temps, and grab an online scan. Btw, what are the new findings being called, are they named the same or something different?

    Download Atribunes ATF Cleaner
    • Double-click ATF-Cleaner.exe to run the program.
    • Tick the following boxes:
      • Windows Temp
      • Current User Temp
      • All User Temp
      • Cookies
      • Temporary Internet Files
      • History
      • Prefetch
      • Java Cache
    • Click the Empty Selected button.
    We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.

    Then go to this page, Panda ActiveScan
    • Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
    • Then press the green 'Check Now' button.
    • Enter your country and state along with a valid email address.
    • Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
    • Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
    • Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.
    (please edit out all cookie, Recycler and restore\system volume folder references from the log)
     
    TeMerc,
    #10
  12. 2006/10/24
    mtaffer

    mtaffer Well-Known Member Thread Starter

    Joined:
    2006/10/20
    Messages:
    63
    Likes Received:
    0
    Panda report/ new HJTlog

    Hi,

    I ran the scan and it didn't find anything specific, just a few cookies. This is the report it created:

    Incident Status Location

    Possible Virus. Not disinfected C:\dell\Utilities\DSR\demo\DEMO.EXE
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\lmeadm\Application Data\Mozilla\Firefox\Profiles\6hqlyqho.default\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\lmeadm\Application Data\Mozilla\Firefox\Profiles\6hqlyqho.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\monicag\Application Data\Mozilla\Firefox\Profiles\1cr2yboa.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\monicag\Application Data\Mozilla\Firefox\Profiles\1cr2yboa.default\cookies.txt[.2o7.net/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\monicag\Application Data\Mozilla\Firefox\Profiles\1cr2yboa.default\cookies.txt[.xiti.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\monicag\Application Data\Mozilla\Firefox\Profiles\1cr2yboa.default\cookies.txt[.247realmedia.com/]
    In addition, I ran a new Hijackthis log...

    Logfile of HijackThis v1.99.1
    Scan saved at 8:40:20 AM, on 10/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softwin\BitDefender8\vsserv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
    C:\Program Files\Softwin\BitDefender8\bdnagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\monicag\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
    O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe "
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
    O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
    O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

    It seems like it might be gone now.

    Thanks again,
    mtaffer
     
    mtaffer,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...