BleepingComputer.com: Im Infected

ok im infected ran combo-fix and it solved some issues my question is there are some recently added .dll files that i think are related and wish to remove them please advise


LOG



ComboFix 08-03-03.16 - BenM 2008-03-03 13:33:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.557 [GMT -8:00]
Running from: C:\Documents and Settings\benm\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\efccbca.dll
C:\WINDOWS\system32\geebc.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 12:10 . 2008-03-03 12:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab <- legit
2008-03-03 12:10 . 2008-03-03 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <- legit
2008-03-03 11:01 . 2008-03-03 01:58 319,488 --a------ C:\WINDOWS\btrklfr.dll <- file in Question
2008-03-03 11:01 . 2008-03-03 01:58 282,624 --a------ C:\WINDOWS\apdqnxp.dll <- file in Question
2008-03-03 11:01 . 2008-03-03 01:58 237,568 --a------ C:\WINDOWS\dkxrstqnog.dll <- file in Question
2008-03-03 11:01 . 2008-03-03 01:58 221,184 --a------ C:\WINDOWS\enlfxgw.dll <- file in Question
2008-03-03 11:01 . 2008-03-03 01:58 102,400 --a------ C:\WINDOWS\fqspogw.exe <- file in Question
2008-03-03 11:00 . 2008-03-03 11:00 47 --a------ C:\amp.bat <- file in Question
2008-03-03 10:59 . 2008-03-03 10:59 58,368 --a------ C:\onhtp.exe <- file in Question
2008-03-03 10:09 . 2008-03-03 10:09 <DIR> d-------- C:\Program Files\Runtime Software <- legit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 17:32 --------- d-----w C:\Documents and Settings\benm\Application Data\AdobeUM
2008-01-23 18:37 --------- d-----w C:\Program Files\BroadWare
2007-12-07 18:07 99,712 ----a-w C:\WINDOWS\HPBroker.dll
2006-10-24 17:41 673,546 ----a-w C:\Program Files\unins000.exe
2006-10-24 17:41 29,334 ----a-w C:\Program Files\unins000.dat
2003-06-19 18:05 286,773 ----a-w C:\Program Files\msvcrt.dll
2003-06-19 18:05 1,015,859 ----a-w C:\Program Files\mfc42.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF108732-DF6A-4644-BC03-F04EB71763BF}]
2008-03-03 01:58 237568 --a------ C:\WINDOWS\dkxrstqnog.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{41E5536C-D06D-4891-BF9B-BB511A803221}

[HKEY_CLASSES_ROOT\clsid\{41e5536c-d06d-4891-bf9b-bb511a803221}]
[HKEY_CLASSES_ROOT\enlfxgw.1]
[HKEY_CLASSES_ROOT\TypeLib\{A7667C4B-7262-4C5E-8699-374EBEF5B069}]
[HKEY_CLASSES_ROOT\enlfxgw]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 09:13 176128]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14 7401472]
"NVHotkey"="nvHotkey.dll" [2006-01-19 08:14 73728 C:\WINDOWS\system32\nvhotkey.dll]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 08:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 08:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 13:30 282624 C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 09:35 102400]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-07 23:43 702072]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3ADDB7B-3DF5-4672-82DD-775FFF180134}"= C:\WINDOWS\system32\efccbca.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"apdqnxp"= {2870B7F8-75B0-448D-B6EC-5C6A53F57D8A} - C:\WINDOWS\apdqnxp.dll [2008-03-03 01:58 282624]
"btrklfr"= {601DA719-3E8C-4442-B5F9-C6B56C115EA2} - C:\WINDOWS\btrklfr.dll [2008-03-03 01:58 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-17853146-611349586-1232828436-3235\Scripts\Logon\0\0]
"Script"=test.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-17853146-611349586-1232828436-3235\Scripts\Logon\1\0]
"Script"=\\climatec.com\netlogon\exprofre.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-17853146-611349586-1232828436-3272\Scripts\Logon\0\0]
"Script"=test.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-17853146-611349586-1232828436-500\Scripts\Logon\0\0]
"Script"=test.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a------ 2007-06-05 07:52 20811776 C:\Program Files\CounterPath\X-Lite\x-lite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-05 17:03 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-19 08:14 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 10:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-20 15:30 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-09 12:35]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 09:46]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 13:01]
S3 MRM;Firetide MRM Service;C:\PROGRA~1\Firetide\HotView\413~1.0\HOTVIE~2.EXE [2007-05-08 12:32]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 18:12]
S3 ONSSI ImageImportService;ONSSI ImageImportService;"C:\Program Files\Onssi\NetDVMS\ImageImportService.exe" [2006-07-26 10:33]
S3 ONSSI ImageServer;ONSSI ImageServer;"C:\Program Files\Onssi\NetDVMS\ImageServer.exe" [2006-07-26 10:33]
S3 ONSSI LogCheckService;ONSSI LogCheckService;"C:\Program Files\Onssi\NetDVMS\ELFFLogCheckerService.exe" [2006-07-26 10:33]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 00:30]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 00:30]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 00:30]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 20:52:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 13:39:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\detoured.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\detoured.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\detoured.dll
-> C:\WINDOWS\btrklfr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\CMPWI.exe
C:\WINDOWS\TEMP\XW14D3.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-03 13:43:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 21:43:31
.
2008-02-13 15:00:02 --- E O F ---




thank you in advanced looks like its loading some type of IE browser helper good thing i use firefox

Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link

• Once downloaded, close all programs and Windows on your computer, including this one.
  
  
• Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
  
  
• When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
  
  
• MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
  
  
• On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for VirusHeat related files.
  
  
• MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
  
  
• When the scan is finished a message box will appear.
  
  
• You should click on the OK button to close the message box and continue with the removal process.
  
  
• You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  
  
• A screen displaying all the malware that the program found will be shown. Please note that the results shown in the image below will be different depending on the infection you are removing.
  
  
• You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
  
  
• When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Post the log here in a reply.

You can now exit the MBAM program.


Then

follow the steps below so we can make sure you're cleaned properly:

Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

Click 'Do a System Scan and Save log'. The HJT log will open in notepad. Don't try to fix anything yourself.

Copy and paste the contents of the HJT log into a NEW TOPIC in "HijackThis Logs and Malware Removal"
http://www.bleepingcomputer.com/forums/forum22.html

Also include a link to this topic. Please be patient as our HJT team members work on serveral forums.

This post has been edited by SpySentinel: 03 March 2008 - 05:38 PM

Combofix is a powerful tool intended by its creator to be used under the direction of an expert. It is NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.
As you can see from this:

Quote

The installation instructions haven't been followed correctly.
This warning is there for a reason!
You should honor the creators instructions and only use this tool when instructed.

This post has been edited by Starbuck: 03 March 2008 - 06:22 PM

yes i have read all about combo fix and i see what it does. no need for the disclaimer.

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff