mte01
asked on
Removing hldrr virus/trojan
Hey experts,
Can anyone check the following hijackthis log - There is mostly a virus/trojan called hldrr.exe; any helping on removing it??
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\driver s\downld\5 7210421.ex e
C:\WINDOWS\system32\driver s\downld\5 7220468.ex e
C:\Documents and Settings\mahar\Desktop\alt ernativ.ex e
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = tom:8082
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 195.112.*.*;*.cyberia.net. lb;<local>
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5 B79BFDFEA6 0} - C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll
O2 - BHO: Ipswitch.WsftpBrowserHelpe r - {601ED020-FB6C-11D3-87D8-0 050DA59922 B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B A8D5E23E04 5} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .1.615.585 8\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin \jusched.e xe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex e" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C- 4d9f-84C7- 88D8A56B10 AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonito r.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\driver s\hldrrr.e xe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C 1E3DC1AF43 A} - res://C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll /206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9 0FFA846DF7 E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1 E41684E07B B} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\Software\..\Telephony : DomainName = cyberia.net.lb
O17 - HKLM\System\CCS\Services\T cpip\..\{C 3D90FB4-41 10-4E8C-9D 85-1A6B019 E1B5F}: NameServer = 195.112.195.34,195.112.195 .35
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = cyberia.net.lb
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9 4D524869DB 5} - C:\WINDOWS\system32\WPDShS erviceObj. dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e xe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd hcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat. exe
Can anyone check the following hijackthis log - There is mostly a virus/trojan called hldrr.exe; any helping on removing it??
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\driver
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>rpgammergirl
Thanks a lot for your help!
It seems to have fixed the issue; please find below the combofix log:
ComboFix 08-04-15.1 - mahar 2008-04-16 10:20:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 463 [GMT 3:00]
Running from: C:\Documents and Settings\mahar\Desktop\Com bo-Fix.exe
Command switches used :: /KillAll
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Scree nSaver\Ima ges\[u]0[/ u]0A49983. urr
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Hist ory\search 2
C:\Program Files\MyWebSearch\bar\Sett ings\s_pid .dat
C:\Program Files\MyWebSearch\bar\Sett ings\setti ng2.htm
C:\Program Files\MyWebSearch\bar\Sett ings\setti ng2.htm.ba k
C:\Program Files\MyWebSearch\bar\Sett ings\setti ngs.dat
C:\Program Files\MyWebSearch\bar\Sett ings\setti ngs.dat.ba k
C:\sdlflzoip
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\driver s\downld
C:\WINDOWS\system32\driver s\downld\5 7210421.ex e
C:\WINDOWS\system32\driver s\downld\5 7220468.ex e
C:\WINDOWS\system32\driver s\downld\5 7397718.ex e
C:\WINDOWS\system32\driver s\downld\5 7455671.ex e
C:\WINDOWS\system32\driver s\downld\5 7552328.ex e
C:\WINDOWS\system32\driver s\downld\5 7602734.ex e
C:\WINDOWS\system32\driver s\downld\8 80343.exe
C:\WINDOWS\system32\driver s\downld\8 92187.exe
C:\WINDOWS\system32\driver s\hldrrr.e xe
C:\WINDOWS\system32\driver s\mdelk.ex e
C:\WINDOWS\system32\driver s\npf.sys
C:\WINDOWS\system32\mdelk. exe
C:\WINDOWS\system32\packet .dll
C:\WINDOWS\system32\wanpac ket.dll
C:\WINDOWS\system32\wintem s.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_srosa
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))) )))))
.
2008-04-16 10:26 . 2008-04-16 10:26 <DIR> d-------- C:\WINDOWS\system32\driver s\downld
2008-04-15 15:53 . 2008-04-15 15:53 <DIR> d--h----- C:\WINDOWS\system32\GroupP olicy
2008-04-14 10:06 . 2008-04-15 15:13 <DIR> d-------- C:\microsoftg
2008-04-10 10:44 . 2008-04-10 10:44 <DIR> d-------- C:\Documents and Settings\mahar\Application Data\SmartFTP
2008-04-10 10:43 . 2008-04-10 10:43 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-04-10 10:42 . 2008-04-10 10:42 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-10 10:10 . 2008-04-10 10:28 <DIR> d-------- C:\Program Files\DivX
2008-04-10 09:40 . 2008-04-10 09:44 <DIR> d-------- C:\Program Files\WS_FTP Pro
2008-04-10 09:40 . 2008-04-10 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-10 09:40 . 2002-07-16 18:08 49,152 --a------ C:\WINDOWS\system32\FTPStu bInstUtils .dll
2008-04-10 09:39 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\ISUninst.exe
2008-04-10 08:42 . 2008-04-10 08:42 268 --ah----- C:\sqmdata07.sqm
2008-04-10 08:42 . 2008-04-10 08:42 244 --ah----- C:\sqmnoopt07.sqm
2008-03-25 12:17 . 2008-03-25 12:17 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-17 10:04 . 2008-03-17 10:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-15 14:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-15 14:08 --------- d-----w C:\Program Files\eMule
2008-04-15 09:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k .sys
2008-03-17 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-11 11:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-10 07:03 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\winine t.dll
2008-02-21 10:18 --------- d-----w C:\Documents and Settings\mahar\Application Data\Move Networks
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32. dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrsl vr.dll
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{2ba521ac-b9b9-443 3-ba45-dba 2f02cba5a} ]
2008-02-15 09:56 1555480 --a------ C:\Program Files\speed-bit\tbspe0.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{2BA521AC-B9B9-4433-BA45- DBA2F02CBA 5A}"= "C:\Program Files\speed-bit\tbspe0.dll " [2008-02-15 09:56 1555480]
[HKEY_CLASSES_ROOT\clsid\{ 2ba521ac-b 9b9-4433-b a45-dba2f0 2cba5a}]
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Toolbar\WebBrowse r]
"{2BA521AC-B9B9-4433-BA45- DBA2F02CBA 5A}"= C:\Program Files\speed-bit\tbspe0.dll [2008-02-15 09:56 1555480]
[HKEY_CLASSES_ROOT\clsid\{ 2ba521ac-b 9b9-4433-b a45-dba2f0 2cba5a}]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe " [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe" [2004-07-24 04:01 684032]
"BitComet"="C:\Program Files\BitComet\BitComet.ex e" [ ]
"BgMonitor_{79662E04-7C6C- 4d9f-84C7- 88D8A56B10 AA}"="C:\P rogram Files\Common Files\Ahead\lib\NMBgMonito r.exe" [2006-02-01 17:45 98304]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [2004-10-13 19:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMA NT~1\VPTra y.exe" [2004-03-12 15:18 124128]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_05\bin \jusched.e xe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe" [2006-01-12 16:40 155648]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"EnableLUA"= 0 (0x0)
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Acro bat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acro bat Assistant.lnk
backup=C:\WINDOWS\pss\Acro bat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Goog le Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Goog le Updater.lnk
backup=C:\WINDOWS\pss\Goog le Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ CommCtr]
--a------ 2006-05-24 18:36 2383872 C:\PROGRA~1\NET2PH~1\CommC tr.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ctfmon.exe ]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DownloadAc celerator]
--a------ 2007-08-13 12:28 4376328 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ swg]
--a------ 2004-07-24 04:01 684032 C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ WrCtrl]
C:\Program Files\WinRoute Pro\wrctrl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\services]
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"PRTGService"=2 (0x2)
"MDaemon"=3 (0x3)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e xe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall. exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22 009
S3 MDaemon;MDaemon;C:\MDaemon \APP\MDAEM ON.EXE [2003-09-12 13:53]
S3 PRTGService;PRTG Service - Paessler Router Traffic Grapher;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [2006-03-06 16:16]
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 10:25:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
************************** ********** ********** ********** ********** ********
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2008-04-16 10:32:14 - machine was rebooted
ComboFix-quarantined-files .txt 2008-04-16 07:32:08
Pre-Run: 21,745,344,512 bytes free
Post-Run: 22,269,812,736 bytes free
.
2008-04-10 00:06:15 --- E O F ---
Thanks a lot for your help!
It seems to have fixed the issue; please find below the combofix log:
ComboFix 08-04-15.1 - mahar 2008-04-16 10:20:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\mahar\Desktop\Com
Command switches used :: /KillAll
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Scree
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Hist
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\sdlflzoip
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\mdelk.
C:\WINDOWS\system32\packet
C:\WINDOWS\system32\wanpac
C:\WINDOWS\system32\wintem
.
((((((((((((((((((((((((((
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_srosa
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))
.
2008-04-16 10:26 . 2008-04-16 10:26 <DIR> d-------- C:\WINDOWS\system32\driver
2008-04-15 15:53 . 2008-04-15 15:53 <DIR> d--h----- C:\WINDOWS\system32\GroupP
2008-04-14 10:06 . 2008-04-15 15:13 <DIR> d-------- C:\microsoftg
2008-04-10 10:44 . 2008-04-10 10:44 <DIR> d-------- C:\Documents and Settings\mahar\Application
2008-04-10 10:43 . 2008-04-10 10:43 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-04-10 10:42 . 2008-04-10 10:42 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-10 10:10 . 2008-04-10 10:28 <DIR> d-------- C:\Program Files\DivX
2008-04-10 09:40 . 2008-04-10 09:44 <DIR> d-------- C:\Program Files\WS_FTP Pro
2008-04-10 09:40 . 2008-04-10 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-10 09:40 . 2002-07-16 18:08 49,152 --a------ C:\WINDOWS\system32\FTPStu
2008-04-10 09:39 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\ISUninst.exe
2008-04-10 08:42 . 2008-04-10 08:42 268 --ah----- C:\sqmdata07.sqm
2008-04-10 08:42 . 2008-04-10 08:42 244 --ah----- C:\sqmnoopt07.sqm
2008-03-25 12:17 . 2008-03-25 12:17 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-17 10:04 . 2008-03-17 10:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
((((((((((((((((((((((((((
.
2008-04-15 14:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-15 14:08 --------- d-----w C:\Program Files\eMule
2008-04-15 09:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k
2008-03-17 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-11 11:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-10 07:03 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\winine
2008-02-21 10:18 --------- d-----w C:\Documents and Settings\mahar\Application
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrsl
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2008-02-15 09:56 1555480 --a------ C:\Program Files\speed-bit\tbspe0.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\Softwar
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\SOFTWAR
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe
"swg"="C:\Program Files\Google\GoogleToolbar
"BitComet"="C:\Program Files\BitComet\BitComet.ex
"BgMonitor_{79662E04-7C6C-
"ctfmon.exe"="C:\WINDOWS\s
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\SOFTWA
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMA
"SunJavaUpdateSched"="C:\P
"NeroFilterCheck"="C:\WIND
[HKEY_LOCAL_MACHINE\softwa
"EnableLUA"= 0 (0x0)
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acro
backup=C:\WINDOWS\pss\Acro
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Goog
backup=C:\WINDOWS\pss\Goog
[HKEY_LOCAL_MACHINE\softwa
--a------ 2006-05-24 18:36 2383872 C:\PROGRA~1\NET2PH~1\CommC
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-08-13 12:28 4376328 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\softwa
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-07-24 04:01 684032 C:\Program Files\Google\GoogleToolbar
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\WinRoute Pro\wrctrl.exe
[HKEY_LOCAL_MACHINE\softwa
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"PRTGService"=2 (0x2)
"MDaemon"=3 (0x3)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"C:\\Program Files\\Windows Live\\Messenger\\livecall.
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
S3 MDaemon;MDaemon;C:\MDaemon
S3 PRTGService;PRTG Service - Paessler Router Traffic Grapher;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [2006-03-06 16:16]
.
**************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 10:25:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
.
**************************
.
Completion time: 2008-04-16 10:32:14 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 21,745,344,512 bytes free
Post-Run: 22,269,812,736 bytes free
.
2008-04-10 00:06:15 --- E O F ---
sorry..didn't see you already posted.
Thanks for the log, looks good...
Thanks for the log, looks good...
ASKER
>>rpgammergirl
Ok; can you check out now the log of ComboFix to see if there's anything else that needs to be fixed; thanks in advance
Ok; can you check out now the log of ComboFix to see if there's anything else that needs to be fixed; thanks in advance
Looks good......finger's crossed.
ASKER
>>rpammergirl
Indeed this ComboxFix fixed a lot of stuff, but we still have an issue with IE7; it is behaving very weirdly and making me unable to open any site (for example, after it opens the default blank homepage, if you try to navigate to any site, you will get nothing, and at some times the browser will open duplicate menu & tollbars); please find below the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 14:44, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito r.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mahar\Desktop\alt ernativ.ex e
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = tom:8082
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 195.112.*.*;*.cyberia.net. lb;<local>
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5 B79BFDFEA6 0} - C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll
O2 - BHO: Ipswitch.WsftpBrowserHelpe r - {601ED020-FB6C-11D3-87D8-0 050DA59922 B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .1.615.585 8\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex e" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C- 4d9f-84C7- 88D8A56B10 AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonito r.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C 1E3DC1AF43 A} - res://C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll /206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9 0FFA846DF7 E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1 E41684E07B B} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\Software\..\Telephony : DomainName = cyberia.net.lb
O17 - HKLM\System\CCS\Services\T cpip\..\{C 3D90FB4-41 10-4E8C-9D 85-1A6B019 E1B5F}: NameServer = 195.112.195.34,195.112.195 .35
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = cyberia.net.lb
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9 4D524869DB 5} - C:\WINDOWS\system32\WPDShS erviceObj. dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e xe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd hcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat. exe
Indeed this ComboxFix fixed a lot of stuff, but we still have an issue with IE7; it is behaving very weirdly and making me unable to open any site (for example, after it opens the default blank homepage, if you try to navigate to any site, you will get nothing, and at some times the browser will open duplicate menu & tollbars); please find below the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 14:44, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
This is the only obvious nasty entry showing there, you can fix this one.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1 E41684E07B B} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Also try disabling add-ons in IE and see if that helps. Did the problem started with hldrr issue?
Troubleshoot that it's not Norton or some apps causing it.
Let's try DrWebCureIt.
Download and install DrWebCureit:
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha cktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Also try disabling add-ons in IE and see if that helps. Did the problem started with hldrr issue?
Troubleshoot that it's not Norton or some apps causing it.
Let's try DrWebCureIt.
Download and install DrWebCureit:
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
ASKER
>>rpagammergirl
>>Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Yes, this is my domain
>>This is the only obvious nasty entry showing there, you can fix this one.
Yes; I'll do that, and I'll inform you of the results
>>Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Yes, this is my domain
>>This is the only obvious nasty entry showing there, you can fix this one.
Yes; I'll do that, and I'll inform you of the results
ASKER
>>rpgammergirl
>>Did the problem started with hldrr issue?
Yes, but there were obviously other viruses/torjans in the pc
>>Did the problem started with hldrr issue?
Yes, but there were obviously other viruses/torjans in the pc
ASKER
>>rpammergirl
Ok; this seems to have fixed this issue, and also Symantec caught another virus (HijackIt Rootkit) :)
Can you check please the latest hijackthis log for any other issues:
Logfile of HijackThis v1.99.1
Scan saved at 10:20, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito r.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_U TL.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\system32\cmd.ex e
C:\Documents and Settings\mahar\Desktop\alt ernativ.ex e
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5 B79BFDFEA6 0} - C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll
O2 - BHO: Ipswitch.WsftpBrowserHelpe r - {601ED020-FB6C-11D3-87D8-0 050DA59922 B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .1.615.585 8\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d ba2f02cba5 a} - C:\Program Files\speed-bit\tbspe0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex e" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C- 4d9f-84C7- 88D8A56B10 AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonito r.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C 1E3DC1AF43 A} - res://C:\Program Files\BitComet\tools\BitCo metBHO_1.1 .11.30.dll /206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9 0FFA846DF7 E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\Software\..\Telephony : DomainName = cyberia.net.lb
O17 - HKLM\System\CCS\Services\T cpip\..\{1 4D7C7BF-07 50-447E-8C 0F-CFBF2E9 EEB09}: NameServer = 195.112.195.34 195.112.195.35
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = cyberia.net.lb
O17 - HKLM\System\CS1\Services\T cpip\..\{1 4D7C7BF-07 50-447E-8C 0F-CFBF2E9 EEB09}: NameServer = 195.112.195.34 195.112.195.35
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = cyberia.net.lb
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\PROGRA~1\WINDOW~4\MESSE N~1\MSGRAP ~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9 4D524869DB 5} - C:\WINDOWS\system32\WPDShS erviceObj. dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e xe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd hcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat. exe
Ok; this seems to have fixed this issue, and also Symantec caught another virus (HijackIt Rootkit) :)
Can you check please the latest hijackthis log for any other issues:
Logfile of HijackThis v1.99.1
Scan saved at 10:20, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\iBurst Terminal\iBurst_Terminal_U
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\system32\cmd.ex
C:\Documents and Settings\mahar\Desktop\alt
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
HijackIt rootkit? does it tells you the file and location of the said rootkit?
I won't have online access for a week starting tomorrow so I won't be able to reply for at least a week.
Thanks!
I won't have online access for a week starting tomorrow so I won't be able to reply for at least a week.
Thanks!
ASKER
>>rpgammergirl
It's ok; the computer seems to be up and running normally & cleanly right now..many thanks for your help!
It's ok; the computer seems to be up and running normally & cleanly right now..many thanks for your help!
You're welcome.
That's great! I'm glad to know it's running normally.
Thank you.
That's great! I'm glad to know it's running normally.
Thank you.
C:\WINDOWS\system32\driver
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
It's also important that we look at the combofix log to check for any files not being deleted.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.