kristen930 Posted December 16, 2008 Share Posted December 16, 2008 Tonight the Norton program on my computer was going crazy with pop-ups saying that I was trying to send e-mails with Subjects that looked like typical spam to addresses I was not familiar with. I ran some other programs, and found that csrsc.exe and VMwareservice.exe and a bunch of backdoor trojans are on my computer. I found on another post here a program called SDFix, and these are the results below. I am stuck as to what to do next. Thank you in advance for any help you can give me!! SDFix: Version 1.240 Run by Kristen on Mon 12/15/2008 at 11:21 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\msvcrt2.dll - Deleted C:\WINDOWS\system32\SysMgr.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 23:27:55 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll" Fri 12 Dec 2008 23,552 ..SHR --- "C:\WINDOWS\system\VMwareService.exe" Thu 11 Dec 2008 32,256 ..SHR --- "C:\WINDOWS\system32\csrsc.exe" Tue 13 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 6 Dec 2008 95 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti2C.tmp" Tue 13 Dec 2005 1,337 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Finished! Link to post Share on other sites
essexboy Posted December 16, 2008 Share Posted December 16, 2008 Hi kristen lets get the big boy on it first and see what that reveals Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites
kristen930 Posted December 16, 2008 Author Share Posted December 16, 2008 Here is the ComboFix log. My only problem came at the end when my computer was rebooted. I had disabled Norton Antivirus, but it was back on once the system was rebooted. I did tell it to allow ComboFix to proceed. Sorry about that...if I need to run ComboFix again, please let me know and I will set Norton to not start up during reboot. Thank you! ComboFix 08-12-15.08 - Kristen 2008-12-16 14:27:03.1 - NTFSx86 Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\cdpxwsyy.ini c:\windows\system32\csrsc.exe c:\windows\system32\fccdBQkK.dll c:\windows\System32\geBqQGxU.dll c:\windows\system32\mlJCUlLd.dll c:\windows\system32\qoMeFxvW.dll c:\windows\system32\ruszrp.dll c:\windows\system32\UxGQqBeg.ini c:\windows\system32\UxGQqBeg.ini2 c:\windows\system32\xbsnsjhq.dll c:\windows\System32\yayyYqNe.dll c:\windows\system32\yyswxpdc.dll c:\windows\Tasks\trglhoqu.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RPCPATCH -------\Legacy_RPCTFTPD -------\Legacy_WINSPOOLSVC -------\Service_WinSpoolSvc ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-16 14:05 . 2008-12-16 14:05 70,144 --a------ c:\windows\system32\mlJYrSjK.dll 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 22:15 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys 2008-12-15 21:41 . 2008-12-15 21:42 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-12-13 16:11 . 2008-12-13 16:11 11,656 --a------ c:\windows\system32\drivers\srwsvc.sys 2008-12-12 19:54 . 2008-12-12 19:54 23,552 -r-hs---- c:\windows\system\VMwareService.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] R2 srwsvc;srwsvc;\??\c:\windows\system32\drivers\srwsvc.sys [2008-12-13 11656] R2 VMwareService;VMwareService;"c:\windows\system\VMwareService.exe" [2008-12-12 23552] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-15 28672] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) BHO-{53104df4-6eee-4fbd-8b3b-5396e058d0ba} - c:\windows\System32\ruszrp.dll BHO-{66DECFF2-B0C1-4284-BADB-FDF66C18263E} - c:\windows\System32\geBqQGxU.dll HKCU-Run-RecordNow! - (no file) HKCU-Run-Aim6 - (no file) HKLM-Run-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe HKLM-Run-Microsoft® System Manager - c:\windows\system32\sysmgr.exe MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 14:34:00 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(720) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\program files\Norton AntiVirus\navapsvc.exe c:\windows\system32\nvsvc32.exe c:\program files\Norton AntiVirus\SAVSCAN.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe . ************************************************************************** . Completion time: 2008-12-16 14:37:42 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 20:37:40 Pre-Run: 43,320,029,184 bytes free Post-Run: 43,580,502,016 bytes free winxpsp1_en_hom_bf.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect 176 Link to post Share on other sites
essexboy Posted December 16, 2008 Share Posted December 16, 2008 Lets move swiftly on then to clear a few more 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: KillAll:: Driver:: RkHit VMwareService srwsvc File:: c:\windows\system32\mlJYrSjK.dll c:\windows\system32\drivers\RKHit.sys c:\windows\system\VMwareService.exe c:\windows\system32\drivers\srwsvc.sys 3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES 4. Save the above as CFScript.txt 5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log. Link to post Share on other sites
kristen930 Posted December 16, 2008 Author Share Posted December 16, 2008 I hope these are what you need below! ComboFix ComboFix 08-12-15.08 - Kristen 2008-12-16 16:18:14.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.284 [GMT -6:00] Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Kristen\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system\VMwareService.exe c:\windows\system32\drivers\RKHit.sys c:\windows\system32\drivers\srwsvc.sys c:\windows\system32\mlJYrSjK.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system\VMwareService.exe c:\windows\system32\drivers\RKHit.sys c:\windows\system32\drivers\srwsvc.sys c:\windows\system32\mlJYrSjK.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RKHIT -------\Legacy_SRWSVC -------\Legacy_VMWARESERVICE -------\Service_RkHit -------\Service_srwsvc -------\Service_VMwareService ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 21:41 . 2008-12-16 14:55 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\Kristen\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2008-09-11 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] *Newly Created Service* - RKHIT . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 16:21:35 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(716) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe . ************************************************************************** . Completion time: 2008-12-16 16:24:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 22:24:32 ComboFix2.txt 2008-12-16 20:37:43 Pre-Run: 43,557,396,480 bytes free Post-Run: 43,558,584,320 bytes free 159 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:41:29 PM, on 12/16/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Spyware Cease\SpywareCease.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Netscape\Netscape Browser\netscape.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\AOL\1134501755\ee\aolsoftware.exe c:\program files\common files\aol\1134501755\ee\aexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 9638 bytes Link to post Share on other sites
essexboy Posted December 16, 2008 Share Posted December 16, 2008 Now lets clear the waifs and strays and see what remains Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites
kristen930 Posted December 17, 2008 Author Share Posted December 17, 2008 I think something may have messed up today. I was on my computer tonight and pressed "Control+ALT+DEL" for the Windows Task Manager, and under the Processes, I saw (and still see) csrss.exe. I have spent limited time on-line today, mainly coming to this forum to check this post. I am currently on a shared wireless internet at a hotel, and was wondering if it might be possible that someone is infecting my computer through this shared connection? I have run MBAM, and have also re-ran ComboFix and HJT. I did not see csrss.exe in the logs, but it is still under the Processes. Thank you, and I am sorry if this is causing any inconvenience. MBAM Malwarebytes' Anti-Malware 1.31 Database version: 1510 Windows 5.1.2600 Service Pack 1 12/16/2008 11:01:24 PM mbam-log-2008-12-16 (23-01-24).txt Scan type: Quick Scan Objects scanned: 48767 Time elapsed: 3 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ComboFix ComboFix 08-12-15.08 - Kristen 2008-12-16 22:19:31.3 - NTFSx86 Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\csrsc.exe c:\windows\system32\cylwqogs.ini c:\windows\system32\hgGwvuvV.dll c:\windows\system32\jgkhkr.dll c:\windows\System32\jkkkHbYr.dll c:\windows\system32\rYbHkkkj.ini c:\windows\system32\rYbHkkkj.ini2 c:\windows\system32\sgoqwlyc.dll c:\windows\system32\wuykimfn.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WINSPOOLSVC -------\Service_WinSpoolSvc ((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))))) . 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\Kristen\Application Data\SUPERAntiSpyware.com 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-16 16:40 . 2008-12-16 16:40 <DIR> d-------- c:\program files\Trend Micro 2008-12-16 16:22 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-16 16:28 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 21:41 . 2008-12-16 22:13 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-16 18:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((( [email protected]_14.36.53.28 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-17 00:48:22 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-12-17 00:48:22 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe - 2008-12-16 03:23:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-17 04:05:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\Kristen\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2008-09-11 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=jgkhkr.dll R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-16 28672] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) BHO-{634D1F43-24C9-49F9-8BE6-C2A6C435CDC0} - c:\windows\System32\jkkkHbYr.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 22:25:12 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(716) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-12-16 22:29:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-17 04:29:07 ComboFix2.txt 2008-12-16 22:24:57 ComboFix3.txt 2008-12-16 20:37:43 Pre-Run: 43,720,171,520 bytes free Post-Run: 43,712,733,184 bytes free 177 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:31:27 PM, on 12/16/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Spyware Cease\SpywareCease.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Kristen\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab O20 - AppInit_DLLs: jgkhkr.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 9607 bytes Link to post Share on other sites
essexboy Posted December 17, 2008 Share Posted December 17, 2008 That is the legitimate file, notice the difference in spelling Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display). The main question is how is your computer running now ? Link to post Share on other sites
kristen930 Posted December 17, 2008 Author Share Posted December 17, 2008 Thank you for the clarification. To me, my computer seems to be running well. When I ran ThreatExpert yesterday afternoon, it told me my computer was clean. Later that night, it found some malicious entries. I just re-ran ThreatExpert, and here are the details. Thank you. Full Scan Summary: * Scan details: o Scan started: Wednesday, December 17, 2008 15:32:01 o Scan time: 02 minutes, 02 seconds o Number of memory objects scanned: 4708 + processes: 41 + modules: 1471 + heap pages: 3196 o Number of suspicious memory objects detected: 0 o Number of malicious memory objects detected: 5 o Overall Risk Level: High * Summary of the detected threat characteristics: Severity Level What's been found Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. View detected locations * Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000] * Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000] * Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000] * Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000] A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] Communication with a remote IRC server. View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] * Summary of the detected memory objects: Severity Level Memory Object Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "csrsc.exe", main module: [0x00400000 - 0x00484000] View detected characteristics * A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. * MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). * Communication with a remote IRC server. Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000] View detected characteristics Link to post Share on other sites
essexboy Posted December 17, 2008 Share Posted December 17, 2008 According to that you are re-infected. I am running threat expert on my system at the moment to see if it is reporting right But for confirmation as something seems a bit hickey To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link. Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop. Close ALL OTHER PROGRAMS. Open the OTScanit folder and double-click on OTScanit.exe to start the program. Check the box that says Scan All Users Check the Radio button for Rootkit check YES Under Additional Scans check the following:File - Lop Check File - Purity Scan Evnt - EventViewer Errors/Warnings (last 10) Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Link to post Share on other sites
kristen930 Posted December 18, 2008 Author Share Posted December 18, 2008 I am using a different computer to reply right now. I have been keeping my computer offline today and re-ran several of the programs recommended here. ThreatExpert came back with everything being safe. I will have a more secure internet connection this weekend, and will wait until then to do your suggestions. I am not familiar with Mediafire. Since ThreatExpert has its log come up on the internet browser, so I just do "Save Page As" and send that via Mediafire? Thank you Link to post Share on other sites
essexboy Posted December 18, 2008 Share Posted December 18, 2008 The OTScanit will produce a text file. It could be quite large, so if you upload it to mediafire and post the sharing link I will download and then analyse it Link to post Share on other sites
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts