Removing hldrr virus/trojan
Hey experts,
Can anyone check the following hijackthis log - There is mostly a virus/trojan called hldrr.exe; any helping on removing it??
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\driver
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
Can anyone check the following hijackthis log - There is mostly a virus/trojan called hldrr.exe; any helping on removing it??
Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\driver
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>rpgammergirl
Thanks a lot for your help!
It seems to have fixed the issue; please find below the combofix log:
ComboFix 08-04-15.1 - mahar 2008-04-16 10:20:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\mahar\Desktop\Com
Command switches used :: /KillAll
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Scree
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Hist
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\sdlflzoip
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\mdelk.
C:\WINDOWS\system32\packet
C:\WINDOWS\system32\wanpac
C:\WINDOWS\system32\wintem
.
((((((((((((((((((((((((((
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_srosa
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))
.
2008-04-16 10:26 . 2008-04-16 10:26 <DIR> d-------- C:\WINDOWS\system32\driver
2008-04-15 15:53 . 2008-04-15 15:53 <DIR> d--h----- C:\WINDOWS\system32\GroupP
2008-04-14 10:06 . 2008-04-15 15:13 <DIR> d-------- C:\microsoftg
2008-04-10 10:44 . 2008-04-10 10:44 <DIR> d-------- C:\Documents and Settings\mahar\Application
2008-04-10 10:43 . 2008-04-10 10:43 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-04-10 10:42 . 2008-04-10 10:42 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-10 10:10 . 2008-04-10 10:28 <DIR> d-------- C:\Program Files\DivX
2008-04-10 09:40 . 2008-04-10 09:44 <DIR> d-------- C:\Program Files\WS_FTP Pro
2008-04-10 09:40 . 2008-04-10 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-10 09:40 . 2002-07-16 18:08 49,152 --a------ C:\WINDOWS\system32\FTPStu
2008-04-10 09:39 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\ISUninst.exe
2008-04-10 08:42 . 2008-04-10 08:42 268 --ah----- C:\sqmdata07.sqm
2008-04-10 08:42 . 2008-04-10 08:42 244 --ah----- C:\sqmnoopt07.sqm
2008-03-25 12:17 . 2008-03-25 12:17 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-17 10:04 . 2008-03-17 10:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
((((((((((((((((((((((((((
.
2008-04-15 14:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-15 14:08 --------- d-----w C:\Program Files\eMule
2008-04-15 09:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k
2008-03-17 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-11 11:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-10 07:03 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\winine
2008-02-21 10:18 --------- d-----w C:\Documents and Settings\mahar\Application
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrsl
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2008-02-15 09:56 1555480 --a------ C:\Program Files\speed-bit\tbspe0.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\Softwar
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\SOFTWAR
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe
"swg"="C:\Program Files\Google\GoogleToolbar
"BitComet"="C:\Program Files\BitComet\BitComet.ex
"BgMonitor_{79662E04-7C6C-
"ctfmon.exe"="C:\WINDOWS\s
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\SOFTWA
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMA
"SunJavaUpdateSched"="C:\P
"NeroFilterCheck"="C:\WIND
[HKEY_LOCAL_MACHINE\softwa
"EnableLUA"= 0 (0x0)
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acro
backup=C:\WINDOWS\pss\Acro
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Goog
backup=C:\WINDOWS\pss\Goog
[HKEY_LOCAL_MACHINE\softwa
--a------ 2006-05-24 18:36 2383872 C:\PROGRA~1\NET2PH~1\CommC
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-08-13 12:28 4376328 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\softwa
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-07-24 04:01 684032 C:\Program Files\Google\GoogleToolbar
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\WinRoute Pro\wrctrl.exe
[HKEY_LOCAL_MACHINE\softwa
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"PRTGService"=2 (0x2)
"MDaemon"=3 (0x3)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"C:\\Program Files\\Windows Live\\Messenger\\livecall.
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
S3 MDaemon;MDaemon;C:\MDaemon
S3 PRTGService;PRTG Service - Paessler Router Traffic Grapher;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [2006-03-06 16:16]
.
**************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 10:25:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
.
**************************
.
Completion time: 2008-04-16 10:32:14 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 21,745,344,512 bytes free
Post-Run: 22,269,812,736 bytes free
.
2008-04-10 00:06:15 --- E O F ---
Thanks a lot for your help!
It seems to have fixed the issue; please find below the combofix log:
ComboFix 08-04-15.1 - mahar 2008-04-16 10:20:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\mahar\Desktop\Com
Command switches used :: /KillAll
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Scree
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Hist
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\sdlflzoip
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\mdelk.
C:\WINDOWS\system32\packet
C:\WINDOWS\system32\wanpac
C:\WINDOWS\system32\wintem
.
((((((((((((((((((((((((((
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_srosa
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))
.
2008-04-16 10:26 . 2008-04-16 10:26 <DIR> d-------- C:\WINDOWS\system32\driver
2008-04-15 15:53 . 2008-04-15 15:53 <DIR> d--h----- C:\WINDOWS\system32\GroupP
2008-04-14 10:06 . 2008-04-15 15:13 <DIR> d-------- C:\microsoftg
2008-04-10 10:44 . 2008-04-10 10:44 <DIR> d-------- C:\Documents and Settings\mahar\Application
2008-04-10 10:43 . 2008-04-10 10:43 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-04-10 10:42 . 2008-04-10 10:42 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-10 10:10 . 2008-04-10 10:28 <DIR> d-------- C:\Program Files\DivX
2008-04-10 09:40 . 2008-04-10 09:44 <DIR> d-------- C:\Program Files\WS_FTP Pro
2008-04-10 09:40 . 2008-04-10 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-10 09:40 . 2002-07-16 18:08 49,152 --a------ C:\WINDOWS\system32\FTPStu
2008-04-10 09:39 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\ISUninst.exe
2008-04-10 08:42 . 2008-04-10 08:42 268 --ah----- C:\sqmdata07.sqm
2008-04-10 08:42 . 2008-04-10 08:42 244 --ah----- C:\sqmnoopt07.sqm
2008-03-25 12:17 . 2008-03-25 12:17 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-17 10:04 . 2008-03-17 10:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
((((((((((((((((((((((((((
.
2008-04-15 14:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-15 14:08 --------- d-----w C:\Program Files\eMule
2008-04-15 09:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k
2008-03-17 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-11 11:36 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-10 07:03 --------- d-----w C:\Program Files\Java
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\winine
2008-02-21 10:18 --------- d-----w C:\Documents and Settings\mahar\Application
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrsl
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2008-02-15 09:56 1555480 --a------ C:\Program Files\speed-bit\tbspe0.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\Softwar
"{2BA521AC-B9B9-4433-BA45-
[HKEY_CLASSES_ROOT\clsid\{
[HKEY_CURRENT_USER\SOFTWAR
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe
"swg"="C:\Program Files\Google\GoogleToolbar
"BitComet"="C:\Program Files\BitComet\BitComet.ex
"BgMonitor_{79662E04-7C6C-
"ctfmon.exe"="C:\WINDOWS\s
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\SOFTWA
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMA
"SunJavaUpdateSched"="C:\P
"NeroFilterCheck"="C:\WIND
[HKEY_LOCAL_MACHINE\softwa
"EnableLUA"= 0 (0x0)
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acro
backup=C:\WINDOWS\pss\Acro
[HKLM\~\startupfolder\C:^D
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Goog
backup=C:\WINDOWS\pss\Goog
[HKEY_LOCAL_MACHINE\softwa
--a------ 2006-05-24 18:36 2383872 C:\PROGRA~1\NET2PH~1\CommC
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-08-13 12:28 4376328 C:\Program Files\DAP\DAP.exe
[HKEY_LOCAL_MACHINE\softwa
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\softwa
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin
[HKEY_LOCAL_MACHINE\softwa
--a------ 2004-07-24 04:01 684032 C:\Program Files\Google\GoogleToolbar
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\WinRoute Pro\wrctrl.exe
[HKEY_LOCAL_MACHINE\softwa
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"PRTGService"=2 (0x2)
"MDaemon"=3 (0x3)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"C:\\Program Files\\Windows Live\\Messenger\\livecall.
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
S3 MDaemon;MDaemon;C:\MDaemon
S3 PRTGService;PRTG Service - Paessler Router Traffic Grapher;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [2006-03-06 16:16]
.
**************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 10:25:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 4
**************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
.
**************************
.
Completion time: 2008-04-16 10:32:14 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 21,745,344,512 bytes free
Post-Run: 22,269,812,736 bytes free
.
2008-04-10 00:06:15 --- E O F ---
sorry..didn't see you already posted.
Thanks for the log, looks good...
Thanks for the log, looks good...
ASKER
>>rpgammergirl
Ok; can you check out now the log of ComboFix to see if there's anything else that needs to be fixed; thanks in advance
Ok; can you check out now the log of ComboFix to see if there's anything else that needs to be fixed; thanks in advance
Looks good......finger's crossed.
ASKER
>>rpammergirl
Indeed this ComboxFix fixed a lot of stuff, but we still have an issue with IE7; it is behaving very weirdly and making me unable to open any site (for example, after it opens the default blank homepage, if you try to navigate to any site, you will get nothing, and at some times the browser will open duplicate menu & tollbars); please find below the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 14:44, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
Indeed this ComboxFix fixed a lot of stuff, but we still have an issue with IE7; it is behaving very weirdly and making me unable to open any site (for example, after it opens the default blank homepage, if you try to navigate to any site, you will get nothing, and at some times the browser will open duplicate menu & tollbars); please find below the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 14:44, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mahar\Desktop\alt
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
This is the only obvious nasty entry showing there, you can fix this one.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Also try disabling add-ons in IE and see if that helps. Did the problem started with hldrr issue?
Troubleshoot that it's not Norton or some apps causing it.
Let's try DrWebCureIt.
Download and install DrWebCureit:
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Also try disabling add-ons in IE and see if that helps. Did the problem started with hldrr issue?
Troubleshoot that it's not Norton or some apps causing it.
Let's try DrWebCureIt.
Download and install DrWebCureit:
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
ASKER
>>rpagammergirl
>>Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Yes, this is my domain
>>This is the only obvious nasty entry showing there, you can fix this one.
Yes; I'll do that, and I'll inform you of the results
>>Those 017 entries "cyberia.net.lb" do you recognize those? are those your domain?
Yes, this is my domain
>>This is the only obvious nasty entry showing there, you can fix this one.
Yes; I'll do that, and I'll inform you of the results
ASKER
>>rpgammergirl
>>Did the problem started with hldrr issue?
Yes, but there were obviously other viruses/torjans in the pc
>>Did the problem started with hldrr issue?
Yes, but there were obviously other viruses/torjans in the pc
ASKER
>>rpammergirl
Ok; this seems to have fixed this issue, and also Symantec caught another virus (HijackIt Rootkit) :)
Can you check please the latest hijackthis log for any other issues:
Logfile of HijackThis v1.99.1
Scan saved at 10:20, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\iBurst Terminal\iBurst_Terminal_U
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\system32\cmd.ex
C:\Documents and Settings\mahar\Desktop\alt
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
Ok; this seems to have fixed this issue, and also Symantec caught another virus (HijackIt Rootkit) :)
Can you check please the latest hijackthis log for any other issues:
Logfile of HijackThis v1.99.1
Scan saved at 10:20, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonito
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\iBurst Terminal\iBurst_Terminal_U
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\system32\cmd.ex
C:\Documents and Settings\mahar\Desktop\alt
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5
O2 - BHO: Ipswitch.WsftpBrowserHelpe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-d
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.ex
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
HijackIt rootkit? does it tells you the file and location of the said rootkit?
I won't have online access for a week starting tomorrow so I won't be able to reply for at least a week.
Thanks!
I won't have online access for a week starting tomorrow so I won't be able to reply for at least a week.
Thanks!
ASKER
>>rpgammergirl
It's ok; the computer seems to be up and running normally & cleanly right now..many thanks for your help!
It's ok; the computer seems to be up and running normally & cleanly right now..many thanks for your help!
You're welcome.
That's great! I'm glad to know it's running normally.
Thank you.
That's great! I'm glad to know it's running normally.
Thank you.
C:\WINDOWS\system32\driver
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
It's also important that we look at the combofix log to check for any files not being deleted.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.