My notebook transfered itselfs in some kind of SPAM machine.

[gratum]

No idea how it happend, buy my notebook seems to send thousands of
emails from the background every minute, which results my ADSL line to
block, and a router restart is required.
I am not using any email programs on this PC, it's exclusive used for
browsing and design work.
I did several Trojan Scans, Malware, Antivirus, Adware, etc etc, but no
results.
I discoverd the problem with some simple packet sniffer, which send all the
time background packages, each time with a new local port.
I wanted to check which application is using this PORT, with "Active Ports"
from www.ntutility.com, but this let's me know,
PROCESS = UNKNOW
PID = 0
Each packet sniffer used port 53 as remote port and used each time a new
local port. As example
Local Port 1436 > Remote Port 53
Local Port 1438 > Remote Port 53
Local Port 1440 > Remote Port 53
Local Port 1442 > Remote Port 53
Local Port 1444 > Remote Port 53
Local Port 1446 > Remote Port 53
The same happends with 25
Local Port 1302 > Remote Port 25
Local Port 1304 > Remote Port 25
Local Port 1306 > Remote Port 25
Local Port 1308 > Remote Port 25
Local Port 1310 > Remote Port 25
Each time it attemps to connect to some new IP
I tried to block the remote port 25 and port 53, which has no success.
I tried to close all services running, no success.
Ok, i do realize reinstalling my xp would be faster, but, hey, i want to find out
what is the problem.
Some example of some port 53 package
----
00000000 8E 83 01 00 00 01 00 00 00 00 00 00 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 .com.... .
00000000 8E 83 81 80 00 01 00 03 00 00 00 04 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 C0 0C 00 0F 00 01 00 .com.... ........
00000020 00 1F D5 00 0A 00 14 05 6D 61 69 6C 32 C0 0C C0 ........ mail2...
00000030 0C 00 0F 00 01 00 00 1F D5 00 0A 00 1E 05 6D 61 ........ ......ma
00000040 69 6C 33 C0 0C C0 0C 00 0F 00 01 00 00 1F D5 00 il3..... ........
00000050 09 00 0A 04 6D 61 69 6C C0 0C C0 27 00 01 00 01 ....mail ...'....
00000060 00 00 1F D5 00 04 C0 4D 8B 02 C0 3D 00 01 00 01 .......M ...=....
00000070 00 00 49 83 00 04 C0 4D 8B 08 C0 53 00 01 00 01 ..I....M ...S....
00000080 00 00 53 4B 00 04 C0 4D 8B 02 C0 53 00 01 00 01 ..SK...M ...S....
00000090 00 00 53 4B 00 04 C0 4D 8B 08 ..SK...M ..

Some example of some port 25 Package
----
Date: Sat, 19 Apr 2008 09:41:15 +0000
From: "Pont Strauf" <blackhead@motohaus.lu>
X-Mailer: The Bat! (3.51.9) Professional
Reply-To: Pont Strauf <blackhead@motohaus.lu>
X-Priority: 3 (Normal)
Message-ID: <1481138195.20080419093817@motohaus.lu>
To: <landis29@hanmail.net>
Subject: cytologist
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CA6F92D8DC4368"
------------CA6F92D8DC4368
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hello,=09
=20
Increaase Sexual EEnergy and Pleasuure!
http://q4ri5z8og58qd.blogspot.com

=09And owen, watching, took her pallor for the ashy of gold
thread on stiff ultramarine tissue, which carry us three
men and our when the raft was finished most of them carrying
hand bags. During rehearsals want yes, said ellie, i know
what you mean. But about arthur because he thought hetty
would be whiskers, dark eyes, husky voice, tooth missing
preposterous for words. They had quite an excited gordon.
they think he stabbed his cousin. My sakes! With a bump.
then again, the mischievous ants one jump in her nightgown,
just before going to want me, he said, and he offered no
humorous remarks, a living brain. You will be annihilated
in the ob serve the round hole through the chainmail said
emily. Don't be indelicate. And anyway, she.
ishbnhiieaaaakbmfi.
------------CA6F92D8DC4368
Content-Type: text/html; chars. #Host Name Server
nicname 43/tcp whois
domain 53/tcp #Domain Name Server
domain 53/udp #Domain Name Server
bootps 67/udp dhcps #Bootstrap Protocol Server
bootpc 68/udp dhcpc #Bootstrap Protocol Client
tftp 69/udp #Trivial File Transfer
gopher 70/tcp
finger 79/tcp
http 80/tcp www www-http #World Wide Web
kerberos 88/tcp g></p><st=
rong> </strong>
<p>And owen, watching, took her pallor for the ashy of gold<br> thread
on=
stiff ultramarine tissue, which carry us three<br> men and our when the =
raft was finished most of them carrying<br> hand bags. During rehearsals =
want yes, said ellie, i know<br> what you mean. But about arthur because
=
he thought hetty<br> would be whiskers, dark eyes, husky voice, tooth
mis=
sing<br> preposterous for words. They had quite an excited gordon.<br>
=
they think he stabbed his cousin. My sakes! With a bump.<br> then again, =
the mischievous ants one jump in her nightgown,<br> just before going to =
want me, he said, and he offered no<br> humorous remarks, a living brain.=
You will be annihilated<br> in the ob serve the round hole through the c=
hainmail said<br> emily. Don't be indelicate. And anyway, she.<br>
ishbnhiieaaaakbmfi.</p>
</body></html>
------------CA6F92D8DC4368--
.
454 5.7.1 DXNS3 83.34.2.243: Message refused. Your host name dosen't
match with your IP address: ilpo.rima-tde.net
QUIT
221 2.0.0 rmail-142.hanmail.net closing connection

========================
Finaly some HIJACK OUTPUT
========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:20, on 19/04/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SmartSniff\smsniff.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows
Live\WLLoginProxy.exe
C:\WINDOWS\system32\telnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper -
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program
Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -
C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\3.0.914.9778\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} -
C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program
Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32
Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows
Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Advanced Email Extractor -
res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi
e.dll/page.html
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scan link with AEE -
res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi
e.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} -
(no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor -
{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -
res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi
e.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor -
{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -
res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi
e.dll/page.html (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) -
http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX
Scan Agent 6.6) -
http://housecall65.trendmicro.com/ho...e/x86/win32/ac
tivex/hcImpl.cab
O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin
Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin
Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{FAA969F8-2960-4B55-8A6D-0CE7D04C0
456}: NameServer = 80.58.61.250,195.235.113.3
O18 - Protocol: grooveLocalGWS -
{88FED34C-F0CA-4636-A375-3CB6248B04CD} -
C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program
Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET
NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 7200 bytes

Hopefully you guys know what happened.

[little eagle]

Looks like a rootkit

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

[gratum]

Hi

I tried that, all went successfull, however, the same things happen, sending thousands of emails to port 25 and 53

Let me send u again the full report from that COMBOFIX and HIJACK again

-----------

ComboFix 08-04-18.3 - Hannelaure Dijon 2008-04-19 14:31:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.568 [GMT 1:00]
Running from: C:\Documents and Settings\Hannelaure Dijon\Desktop\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\internet explorer\setup.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\dbxDgrevCheck.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWNETPKER
-------\Service_windownetpker

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.
2008-04-19 10:27 . 2008-04-19 10:27 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\Application Data\Wireshark
2008-04-19 10:24 . 2008-04-19 10:27 <DIR> d-------- C:\Program Files\Panda Security
2008-04-18 22:39 . 2008-04-18 22:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 19:02 . 2008-04-18 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-18 19:02 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-18 19:02 . 2008-04-18 20:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-18 18:59 . 2008-04-18 20:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-18 17:16 . 2008-04-19 12:15 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-18 16:24 . 2008-04-18 16:24 <DIR> d-------- C:\Program Files\Active Ports
2008-04-18 16:06 . 2008-04-18 16:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 15:21 . 2008-04-17 15:22 <DIR> d-------- C:\Program Files\IberInfo
2008-04-17 15:21 . 2008-04-17 15:21 1,413,120 --------- C:\WINDOWS\Setupbaby.exe
2008-04-17 15:21 . 2008-04-17 15:21 74,240 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-17 13:46 . 2008-04-17 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 13:46 . 2008-04-17 13:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 19:26 . 2008-04-15 19:26 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\auto
2008-04-15 19:26 . 2008-04-15 19:27 287 --a------ C:\WINDOWS\XMailer.INI
2008-04-14 10:59 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-12 21:56 . 2008-04-12 21:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-12 18:20 . 2008-04-12 18:20 <DIR> d-------- C:\Program Files\Wireshark
2008-04-12 18:20 . 2008-04-12 18:20 <DIR> d-------- C:\Program Files\WinPcap
2008-04-12 14:39 . 2008-04-12 14:44 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\.housecall6.6
2008-04-12 14:34 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-12 14:08 . 2004-05-13 16:04 225,280 --a------ C:\WINDOWS\system32\gccbbase.dll
2008-04-12 12:21 . 2008-04-12 12:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-12 11:16 . 2008-04-12 11:16 0 --a------ C:\WINDOWS\Irremote.ini
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Program Files\Resco
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-10 00:38 . 2007-10-10 18:38 90,112 --a------ C:\WINDOWS\RSetupCE.exe
2008-04-08 14:55 . 2008-04-08 14:55 <DIR> d-------- C:\Program Files\CounterPath
2008-04-08 13:06 . 2008-04-15 19:28 <DIR> d-------- C:\Program Files\fec
2008-04-06 13:04 . 2008-04-06 13:04 <DIR> d-------- C:\Program Files\Gif2swf
2008-04-06 13:04 . 1999-12-17 10:13 49,664 --a------ C:\WINDOWS\unvise32.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-18 16:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 15:43 --------- d-----w C:\Program Files\SmartSniff
2008-04-17 14:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 09:57 --------- d-----w C:\Program Files\ESET
2008-04-12 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 10:20 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-12 10:17 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-12 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-09 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 10:58 --------- d-----w C:\Program Files\Advanced Email Extractor PRO
2008-04-08 10:49 --------- d-----w C:\Program Files\Common Files\LencomShare
2008-04-04 00:59 --------- d-----w C:\Program Files\Java
2008-03-19 17:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 16:42 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-18 13:29 990,176 ----a-w C:\WINDOWS\dbplugin.exe
2008-03-18 12:33 2,118 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-18 11:56 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\ESET
2008-03-18 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-03-17 13:20 --------- d-----w C:\Program Files\Bonjour
2008-03-15 17:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-14 16:28 --------- d-----w C:\Program Files\GetRight
2008-03-14 13:27 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-14 09:09 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-13 09:33 192,592 ----a-w C:\WINDOWS\system32\DNLEng.dll
2008-03-10 22:38 --------- d-----w C:\Program Files\Sjboy Emulator
2008-03-10 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-10 13:49 --------- d-----w C:\Program Files\Email Address Collector
2008-03-03 08:54 --------- d-----w C:\Program Files\Mobiola Web Camera USB
2008-03-02 21:20 --------- d-----w C:\Program Files\Lencom Software Inc
2008-03-02 12:36 --------- d-----w C:\Program Files\Mobiola Web Camera
2008-03-01 16:48 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\Research In Motion
2008-03-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-01 11:22 --------- d-----w C:\Program Files\Roxio
2008-03-01 11:22 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-01 11:20 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-01 11:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-01 11:10 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-03-01 11:09 --------- d-----w C:\Program Files\Research In Motion
2008-03-01 11:08 --------- d-----w C:\Program Files\Link Web Extractor
2008-03-01 11:04 --------- d-----w C:\Program Files\Common Files\TweakMarketing
2008-03-01 10:32 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\GetRight
2008-02-29 10:41 --------- d-----w C:\Program Files\SWiSHmax
2008-02-28 18:32 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\GetRightToGo
2008-02-24 12:01 --------- d-----w C:\Program Files\PC Sync Manager
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{151E8F05-9830-4888-A41E-B8AB1213CA59}"= "C:\WINDOWS\etlrlws.dll" [ ]
[HKEY_CLASSES_ROOT\clsid\{151e8f05-9830-4888-a41e-b8ab1213ca59}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{27F7F92B-9E29-4BB2-B7DE-F287E6A76756}]
[HKEY_CLASSES_ROOT\etlrlws]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 08:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"acerWireless"="C:\Program Files\acer\Wireless\Utility\WlanUtil.exe" [2005-01-10 16:00 462848]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 08:26 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqnclass32]
eqnclass32.dll 2004-10-15 10:03 8704 C:\WINDOWS\system32\eqnclass32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-01 08:26 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-14 12:55 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyFreeWebCam]
--a------ 2007-03-28 16:03 6219776 C:\EC21Messenger\EzQ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EC21]
--a------ 2007-03-28 16:03 6219776 C:\EC21Messenger\EzQ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a------ 2006-08-02 19:46 5382144 C:\Program Files\CounterPath\eyeBeam 1.5\eyeBeam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 22:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2004-02-10 20:51 118784 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2004-02-10 20:55 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 01:26 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"windownetpker"=2 (0x2)
"usnjsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"SharedAccess"=2 (0x2)
"rpcapd"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"Imapi Helper"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CryptSvc"=2 (0x2)
"BITS"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\emule\\emule.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"6624:TCP"= 6624:TCP:messenger
"7641:TCP"= 7641:TCP:messenger
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfw tdir.sys [2008-02-20 11:11]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 14:57]
R3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 18:29]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 18:31]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcd rdrv.sys []
S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-01-11 15:55]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 21:22]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a38346c7-bdce-11dc-b98e-000e9b7a5c76}]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 14:36:02
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
.
************************************************** ************************
.
Completion time: 2008-04-19 14:48:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 13:46:55
Pre-Run: 4,562,894,848 bytes free
Post-Run: 4,514,947,072 bytes free
248 --- E O F --- 2008-04-09 23:58:40


------------------------
HIJACK
---------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06:16, on 19/04/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} - C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsie.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAA969F8-2960-4B55-8A6D-0CE7D04C0456}: NameServer = 80.58.61.250,195.235.113.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 7033 bytes


---

Thank you and kind regards...

[little eagle]

We work at many forums that have a back log of files to work at.

So when some one request help at more than one security forum it just causes a delay with others getting help.

http://www.castlecops.com/posts219924-0.html
I have ask for that one to be closed.

I cannot stress how important this is!!
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/comb...o-use-combofix

Post back here when done. Then we can start cleaning.

------------------------------------------------

I would like to see a copy of the file in bold.
C:\WINDOWS\SYSTEM32\eqnclass32.dll
Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here
Or email it here

Please include a link to this thread.

[gratum]

Hi

I did delete most of the last month added files as result in report

For now at least it seems the "port 25" attacks are gone..

I also removed C:\WINDOWS\SYSTEM32\eqnclass32.dll
but i first did zip and mail it to you...

Seems things are getting fixed in 20 minutes I only had 3261 packets

I will now do some attemp do startup the recovery consule

thank you

[gratum]

Seems i have service pack 3 installed currently, and guide only explains me info about guide 1 and 2,

Also i have some Ubuntu Linux boot screen at start (where i can choose between linux or windows xp), i am not sure that will be compatibe

Kind Regards

[Corrine]

Quote:

Originally Posted by little eagle

We work at many forums that have a back log of files to work at.

So when some one request help at more than one security forum it just causes a delay with others getting help.

http://www.castlecops.com/posts219924-0.html
I have ask for that one to be closed.

Hi, LE! Apparently gratum doesn't realize that the security community is a close-knit group. He seems to have found a few other places to post for help as well. Here's the grand total located, including here & CC:

http://www.freedomlist.com/forum/viewtopic.php?t=31574
http://www.landzdown.com/index.php?topic=24332.0
http://forums.spywareinfo.com/index....owtopic=116012
http://forums.spybot.info/showthread.php?t=27039
http://boards.cexx.org/index.php?topic=17365.msg72863
http://www.webuser.co.uk/forums/show...ch=true#UNREAD
http://www.cybertechhelp.com/forums/...d.php?p=992848
http://www.cybertechhelp.com/forums/...d.php?t=179979
http://forums.majorgeeks.com/showthread.php?t=157537
http://gladiator-antivirus.com/forum...howtopic=71650
http://www.castlecops.com/t219924-No...ne_XP_SP3.html
http://www.nutnworks.com/forums/showthread.php?t=13762

[gratum]

Hi,

Seems you guys are getting the quickest response

I will remember where too post in the future

Thank you guys, that response time is amazing

Kisses, Hannelaure...

[little eagle]

Close all programs leaving only HijackThis running. Place a check against each of the following, :
O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} - C:\WINDOWS\etlrlws.dll (file missing)
O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
Click on Fix Checked when finished and exit HijackThis.


------------------------------------------------------------------

Open notepad and copy/paste the text in the codebox below into it:

Code:

Driver::
windownetpker
File::
C:\WINDOWS\XMailer.INI
C:\WINDOWS\system32\gccbbase.dll

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

[tashi]

http://www.d-a-l.com/help/showthread.php?t=56025

Closed.