Jump to content
Sign in to follow this  
kristen930

Problems with csrsc and VMwareservice

Recommended Posts

Tonight the Norton program on my computer was going crazy with pop-ups saying that I was trying to send e-mails with Subjects that looked like typical spam to addresses I was not familiar with. I ran some other programs, and found that csrsc.exe and VMwareservice.exe and a bunch of backdoor trojans are on my computer.

 

I found on another post here a program called SDFix, and these are the results below. I am stuck as to what to do next. Thank you in advance for any help you can give me!!

 

 

 

SDFix: Version 1.240

Run by Kristen on Mon 12/15/2008 at 11:21 PM

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\system32\msvcrt2.dll - Deleted

C:\WINDOWS\system32\SysMgr.exe - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-15 23:27:55

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Fri 12 Dec 2008 23,552 ..SHR --- "C:\WINDOWS\system\VMwareService.exe"

Thu 11 Dec 2008 32,256 ..SHR --- "C:\WINDOWS\system32\csrsc.exe"

Tue 13 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sat 6 Dec 2008 95 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti2C.tmp"

Tue 13 Dec 2005 1,337 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"

 

Finished!

Share this post


Link to post
Share on other sites

Hi kristen lets get the big boy on it first and see what that reveals

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

Link 3

 

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

     

  • Double click on ComboFix.exe & follow the prompts.

     

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

     

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

 

Posted Image

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

Posted Image

 

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

Here is the ComboFix log. My only problem came at the end when my computer was rebooted. I had disabled Norton Antivirus, but it was back on once the system was rebooted. I did tell it to allow ComboFix to proceed. Sorry about that...if I need to run ComboFix again, please let me know and I will set Norton to not start up during reboot.

 

Thank you!

 

 

 

ComboFix 08-12-15.08 - Kristen 2008-12-16 14:27:03.1 - NTFSx86

Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\cdpxwsyy.ini

c:\windows\system32\csrsc.exe

c:\windows\system32\fccdBQkK.dll

c:\windows\System32\geBqQGxU.dll

c:\windows\system32\mlJCUlLd.dll

c:\windows\system32\qoMeFxvW.dll

c:\windows\system32\ruszrp.dll

c:\windows\system32\UxGQqBeg.ini

c:\windows\system32\UxGQqBeg.ini2

c:\windows\system32\xbsnsjhq.dll

c:\windows\System32\yayyYqNe.dll

c:\windows\system32\yyswxpdc.dll

c:\windows\Tasks\trglhoqu.job

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_RPCPATCH

-------\Legacy_RPCTFTPD

-------\Legacy_WINSPOOLSVC

-------\Service_WinSpoolSvc

 

 

((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))

.

 

2008-12-16 14:05 . 2008-12-16 14:05 70,144 --a------ c:\windows\system32\mlJYrSjK.dll

2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll

2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT

2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix

2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease

2008-12-15 22:15 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys

2008-12-15 21:41 . 2008-12-15 21:42 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner

2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft

2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe

2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe

2008-12-13 16:11 . 2008-12-13 16:11 11,656 --a------ c:\windows\system32\drivers\srwsvc.sys

2008-12-12 19:54 . 2008-12-12 19:54 23,552 -r-hs---- c:\windows\system\VMwareService.exe

2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET

2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus

2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks

2008-11-18 02:47 --------- d-----w c:\program files\AWS

2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint

2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960]

"SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152]

"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe]

"nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344]

 

R2 srwsvc;srwsvc;\??\c:\windows\system32\drivers\srwsvc.sys [2008-12-13 11656]

R2 VMwareService;VMwareService;"c:\windows\system\VMwareService.exe" [2008-12-12 23552]

R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-15 28672]

S2 mrtRate;mrtRate; []

S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys []

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46]

 

2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

 

2005-12-28 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]

.

- - - - ORPHANS REMOVED - - - -

 

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

BHO-{53104df4-6eee-4fbd-8b3b-5396e058d0ba} - c:\windows\System32\ruszrp.dll

BHO-{66DECFF2-B0C1-4284-BADB-FDF66C18263E} - c:\windows\System32\geBqQGxU.dll

HKCU-Run-RecordNow! - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

HKLM-Run-Microsoft® System Manager - c:\windows\system32\sysmgr.exe

MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-16 14:34:00

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ??????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(660)

c:\windows\system32\ODBC32.dll

 

- - - - - - - > 'lsass.exe'(720)

c:\windows\System32\dssenh.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\gearsec.exe

c:\program files\Norton AntiVirus\navapsvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Norton AntiVirus\SAVSCAN.EXE

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

.

**************************************************************************

.

Completion time: 2008-12-16 14:37:42 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-16 20:37:40

 

Pre-Run: 43,320,029,184 bytes free

Post-Run: 43,580,502,016 bytes free

 

winxpsp1_en_hom_bf.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

 

176

Share this post


Link to post
Share on other sites

Lets move swiftly on then to clear a few more :)

 

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

 

KillAll::

Driver::
RkHit
VMwareService
srwsvc

File::
c:\windows\system32\mlJYrSjK.dll
c:\windows\system32\drivers\RKHit.sys
c:\windows\system\VMwareService.exe
c:\windows\system32\drivers\srwsvc.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

 

4. Save the above as CFScript.txt

 

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

 

Posted Image

 

 

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Share this post


Link to post
Share on other sites

I hope these are what you need below!

 

ComboFix

 

ComboFix 08-12-15.08 - Kristen 2008-12-16 16:18:14.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.284 [GMT -6:00]

Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kristen\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\system\VMwareService.exe

c:\windows\system32\drivers\RKHit.sys

c:\windows\system32\drivers\srwsvc.sys

c:\windows\system32\mlJYrSjK.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system\VMwareService.exe

c:\windows\system32\drivers\RKHit.sys

c:\windows\system32\drivers\srwsvc.sys

c:\windows\system32\mlJYrSjK.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_RKHIT

-------\Legacy_SRWSVC

-------\Legacy_VMWARESERVICE

-------\Service_RkHit

-------\Service_srwsvc

-------\Service_VMwareService

 

 

((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))

.

 

2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll

2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT

2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix

2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease

2008-12-15 21:41 . 2008-12-16 14:55 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner

2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft

2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe

2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe

2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET

2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus

2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks

2008-11-18 02:47 --------- d-----w c:\program files\AWS

2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint

2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960]

"SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152]

"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe]

"nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe]

 

c:\documents and settings\Kristen\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2008-09-11 225280]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344]

 

R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys []

S2 mrtRate;mrtRate; []

S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys []

 

*Newly Created Service* - RKHIT

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46]

 

2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

 

2005-12-28 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]

.

- - - - ORPHANS REMOVED - - - -

 

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-16 16:21:35

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ??????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(660)

c:\windows\system32\ODBC32.dll

 

- - - - - - - > 'lsass.exe'(716)

c:\windows\System32\dssenh.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\gearsec.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

.

**************************************************************************

.

Completion time: 2008-12-16 16:24:47 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-16 22:24:32

ComboFix2.txt 2008-12-16 20:37:43

 

Pre-Run: 43,557,396,480 bytes free

Post-Run: 43,558,584,320 bytes free

 

159

 

 

 

 

HJT

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:41:29 PM, on 12/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Spyware Cease\SpywareCease.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Netscape\Netscape Browser\netscape.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\AOL\1134501755\ee\aolsoftware.exe

c:\program files\common files\aol\1134501755\ee\aexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 9638 bytes

Share this post


Link to post
Share on other sites

Now lets clear the waifs and strays and see what remains

 

Please download Malwarebytes' Anti-Malware from Here or Here

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

I think something may have messed up today. I was on my computer tonight and pressed "Control+ALT+DEL" for the Windows Task Manager, and under the Processes, I saw (and still see) csrss.exe. I have spent limited time on-line today, mainly coming to this forum to check this post. I am currently on a shared wireless internet at a hotel, and was wondering if it might be possible that someone is infecting my computer through this shared connection?

 

I have run MBAM, and have also re-ran ComboFix and HJT. I did not see csrss.exe in the logs, but it is still under the Processes. Thank you, and I am sorry if this is causing any inconvenience.

 

MBAM

 

Malwarebytes' Anti-Malware 1.31

Database version: 1510

Windows 5.1.2600 Service Pack 1

 

12/16/2008 11:01:24 PM

mbam-log-2008-12-16 (23-01-24).txt

 

Scan type: Quick Scan

Objects scanned: 48767

Time elapsed: 3 minute(s), 43 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

ComboFix

 

ComboFix 08-12-15.08 - Kristen 2008-12-16 22:19:31.3 - NTFSx86

Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\csrsc.exe

c:\windows\system32\cylwqogs.ini

c:\windows\system32\hgGwvuvV.dll

c:\windows\system32\jgkhkr.dll

c:\windows\System32\jkkkHbYr.dll

c:\windows\system32\rYbHkkkj.ini

c:\windows\system32\rYbHkkkj.ini2

c:\windows\system32\sgoqwlyc.dll

c:\windows\system32\wuykimfn.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_WINSPOOLSVC

-------\Service_WinSpoolSvc

 

 

((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))

.

 

2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\Kristen\Application Data\SUPERAntiSpyware.com

2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-16 16:40 . 2008-12-16 16:40 <DIR> d-------- c:\program files\Trend Micro

2008-12-16 16:22 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys

2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll

2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT

2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix

2008-12-15 22:15 . 2008-12-16 16:28 <DIR> d-------- c:\program files\Spyware Cease

2008-12-15 21:41 . 2008-12-16 22:13 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner

2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft

2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-15 21:01 . 2008-12-16 18:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe

2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe

2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET

2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus

2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks

2008-11-18 02:47 --------- d-----w c:\program files\AWS

2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint

2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug

.

 

((((((((((((((((((((((((((((( snapshot@2008-12-16_14.36.53.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-17 00:48:22 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2008-12-17 00:48:22 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2008-12-16 03:23:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-12-17 04:05:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960]

"SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152]

"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe]

"nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe]

 

c:\documents and settings\Kristen\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2008-09-11 225280]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=jgkhkr.dll

 

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-16 28672]

R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S2 mrtRate;mrtRate; []

S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys []

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46]

 

2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]

 

2005-12-28 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]

.

- - - - ORPHANS REMOVED - - - -

 

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

BHO-{634D1F43-24C9-49F9-8BE6-C2A6C435CDC0} - c:\windows\System32\jkkkHbYr.dll

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-16 22:25:12

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ??????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(660)

c:\windows\system32\ODBC32.dll

 

- - - - - - - > 'lsass.exe'(716)

c:\windows\System32\dssenh.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\gearsec.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-12-16 22:29:21 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-17 04:29:07

ComboFix2.txt 2008-12-16 22:24:57

ComboFix3.txt 2008-12-16 20:37:43

 

Pre-Run: 43,720,171,520 bytes free

Post-Run: 43,712,733,184 bytes free

 

177

 

 

HJT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:31:27 PM, on 12/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spyware Cease\SpywareCease.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Kristen\Desktop\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe

O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab

O20 - AppInit_DLLs: jgkhkr.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 9607 bytes

Share this post


Link to post
Share on other sites

That is the legitimate file, notice the difference in spelling

Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display).

 

The main question is how is your computer running now ?

Share this post


Link to post
Share on other sites

Thank you for the clarification. To me, my computer seems to be running well. When I ran ThreatExpert yesterday afternoon, it told me my computer was clean. Later that night, it found some malicious entries. I just re-ran ThreatExpert, and here are the details. Thank you.

 

 

Full Scan Summary:

 

* Scan details:

o Scan started: Wednesday, December 17, 2008 15:32:01

o Scan time: 02 minutes, 02 seconds

o Number of memory objects scanned: 4708

+ processes: 41

+ modules: 1471

+ heap pages: 3196

o Number of suspicious memory objects detected: 0

o Number of malicious memory objects detected: 5

o Overall Risk Level: High

 

* Summary of the detected threat characteristics:

 

Severity Level What's been found

 

 

Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.

View detected locations

 

* Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000]

* Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000]

* Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000]

* Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000]

 

 

 

A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.

View detected locations

 

* Process "csrsc.exe", main module: [0x00400000 - 0x00484000]

 

 

 

MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).

View detected locations

 

* Process "csrsc.exe", main module: [0x00400000 - 0x00484000]

 

 

 

Communication with a remote IRC server.

View detected locations

 

* Process "csrsc.exe", main module: [0x00400000 - 0x00484000]

 

* Summary of the detected memory objects:

 

Severity Level Memory Object

 

 

Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000]

View detected characteristics

 

* Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.

 

 

 

Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000]

View detected characteristics

 

* Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.

 

 

 

Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000]

View detected characteristics

 

* Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.

 

 

 

Process "csrsc.exe", main module: [0x00400000 - 0x00484000]

View detected characteristics

 

* A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.

* MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).

* Communication with a remote IRC server.

 

 

 

Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000]

View detected characteristics

Share this post


Link to post
Share on other sites

According to that you are re-infected. I am running threat expert on my system at the moment to see if it is reporting right

 

But for confirmation as something seems a bit hickey

 

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

 

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Share this post


Link to post
Share on other sites

I am using a different computer to reply right now. I have been keeping my computer offline today and re-ran several of the programs recommended here. ThreatExpert came back with everything being safe. I will have a more secure internet connection this weekend, and will wait until then to do your suggestions. I am not familiar with Mediafire. Since ThreatExpert has its log come up on the internet browser, so I just do "Save Page As" and send that via Mediafire?

 

Thank you :)

Share this post


Link to post
Share on other sites

The OTScanit will produce a text file. It could be quite large, so if you upload it to mediafire and post the sharing link I will download and then analyse it

Share this post


Link to post
Share on other sites
Sign in to follow this  

×