Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.worm.delf, Win32.worm.viking, Pws.onlinegames, Among Others


  • Please log in to reply
6 replies to this topic

#1 pill

pill

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 14 July 2007 - 04:23 PM

this is like the nth time i've tried posting this. ie keeps crashing just before i hit the post button.

anyway, i'll keep this short lest i die of frustration once my ie crashes again.

pleasepleaseplease help me get rid of the trojans/worms infecting my pc. right after i noticed my exe files going wonky (double clicking only yielded a black windows script/run box instead of opening the program), i scanned my pc using trendmicro, which zapped a couple of problems. when i commenced scanning using panda, my pc crashed and kept restarting. so i ran it in safe mode, scanned using bitdefender which deleted most of my exe files (since i didn't realize my preferences were set at disinfect/delete.)

according to the scan results, my pc was infected with a couple of strains of the PWS Trojan : PWS.OnlineGames., Generic.PWStealer., Generic.Onlinegames., Trojan.Dropper.OnLineGames.A, DeepScan:Generic.Malware., Trojan.PWS.Nilage
and

Win32.Worm.Delf.NDQ
and
Win32.Worm.Viking
among others.

after the online scans, here are the things i've done so far:

1. installed ad-aware and scanned in safe mode
2. installed spybot and scanned in safe mode
3. spybot ran diagnostic scan after restart. was able to run windows in normal mode
4. scanned using avg, disinfected
5. scanned using ad-aware.
6. scanned using spybot. went on with my life for a couple of days.
7. scanned using spybot. found a couple of threats... disinfected and clicked immunize. no more threats found after
8. scanned using ad-aware. no results other than MRU data.
9. scanned using stinger. all files clean.
10. ran hijackthis.

even after going through 1-10, windows task manager still shows that every 3 minutes, internet explorer would load a couple of windows for websites mostly ending in .cn. avg would also detect a couple of threats which it can heal.

can someone pleaaaase help me squash these worms and trojans once and for all? is there anything i can do to make my msoffice programs work again, short of reinstalling them? By the way, i can post my bitdefender scan results if it would help you. please just let me know.

thank you!


=========================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:36 AM, on 7/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v730.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\6.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 信息检索 - {65F7F9CD-DAC0-45D2-9404-F0B2352536F3} - C:\WINDOWS\SYSTEM32\acvtres32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [wdfmgrnt] C:\WINDOWS\system32\wdfmgrnt.exe
O4 - HKLM\..\Run: [Microsoft Autorun14] C:\WINDOWS\system32\ztinetzt.exe
O4 - HKLM\..\Run: [Microsoft Autorun7] C:\WINDOWS\system32\nwizqjsj.exe
O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe
O4 - HKLM\..\Run: [RAV008C] C:\WINDOWS\system32\RAV008C.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O23 - Service: 2F005364 - Unknown owner - C:\WINDOWS\system32\2433E2CE.EXE (file missing)
O23 - Service: 5152E4F6 - Unknown owner - C:\WINDOWS\system32\F9CFDD4A.EXE (file missing)
O23 - Service: 917523AE - Unknown owner - C:\WINDOWS\system32\A286D9A.EXE (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: B64D0978 - Unknown owner - C:\WINDOWS\system32\5E023C42.EXE (file missing)
O23 - Service: C0770C8C - Unknown owner - C:\WINDOWS\system32\1A09DFBA.EXE (file missing)
O23 - Service: D549124 - Unknown owner - C:\WINDOWS\system32\6789D1D4.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Removableo (kbfzsxxz) - Unknown owner - C:\WINDOWS\system32\kbfzsxxz.exe (file missing)
O23 - Service: kusn33sd - Unknown owner - C:\WINDOWS\system32\kusn33sd.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7501 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 15 July 2007 - 09:20 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum pill :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 pill

pill
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 16 July 2007 - 11:28 AM

Hello Richie! Thanks for your prompt reply. :flowers:

I already did as instructed, rebooted into safe mode, ran DrWeb (the program automatically moved the files though). Here's the DrWeb Log:


3.exe;c:\windows\system32;Trojan.MulDrop.7026;Incurable.Moved.;
balzxw41.sys;c:\windows\system32\drivers;Adware.Baidu;Incurable.Moved.;
txvcmi34.sys;c:\windows\system32\drivers;Adware.Baidu;Incurable.Moved.;
_desktop.ini;C:\;Win32.HLLW.Gavir.ini;Deleted.;
18Sy.exe;C:\Program Files\Internet Explorer;Trojan.Addurl;Deleted.;
popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;
atusvt74.dll;C:\WINDOWS\SYSTEM32;Adware.Newweb.161;Incurable.Moved.;
wincmi34.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu;Incurable.Moved.;
winzxw41.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu.274;Incurable.Moved.;
balzxw41.sys;C:\WINDOWS\SYSTEM32\DRIVERS;Adware.Baidu;Will be renamed after reboot.;
txvcmi34.sys;C:\WINDOWS\SYSTEM32\DRIVERS;Adware.Baidu;Will be renamed after reboot.;
atusvt74.dll;C:\WINDOWS\SYSTEM32\winup;Adware.Newweb;Incurable.Moved.;



about the 2nd and 3rd to the last entries, i unwittingly clicked on the wrong buttons.... really sorry about that. my eyes aren't too accustomed to safemode's crappy resolution. What should i do about those two?

Combofix restarted my pc. Here's the Combofix log:


"

CUP" - 07/16/2007 23:57:21 - ComboFix 07-07-14.6 - Service Pack 4 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\20540.exe
C:\Program Files\internet explorer\iexplore.win
C:\Program Files\Internet Explorer\PLUGINS\SysWin64.Jmp
C:\Program Files\internet explorer\rundll32.exe
C:\Program Files\internet explorer\winlogon.exe
C:\WINDOWS\603.exe
C:\WINDOWS\mywinsys.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\5.exe
C:\WINDOWS\system32\7.exe
C:\WINDOWS\system32\balzxw41.dll
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\winup
C:\WINDOWS\system32\wpcap.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_KUSN33SD
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
-------\LEGACY_WIN32DDS
-------\LEGACY_WINDHCPSVC
-------\LEGACY_WZCSRVC
-------\kusn33sd
-------\nm
-------\NPF
-------\Win32DDS
-------\WinDHCPsvc
-------\WZCSRVC


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 23:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 22:41 <DIR> d-------- C:\DOCUME~1\CUP\DoctorWeb
2007-07-15 22:14 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-15 12:21 <DIR> d-------- C:\Program Files\Google
2007-07-15 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-09 02:45 196 --a------ C:\QQA.EXE
2007-07-08 19:30 24,416 --a------ C:\WINDOWS\c1c.exe
2007-07-08 19:23 112 --a------ C:\WINDOWS\netcom.dll
2007-07-08 19:23 1 --a------ C:\WINDOWS\concmd.dll
2007-07-08 18:54 <DIR> d-------- C:\DOCUME~1\CUP\APPLIC~1\Lavasoft
2007-07-08 15:59 <DIR> dr-h----- C:\WINDOWS\vDll.dll
2007-07-08 15:59 <DIR> dr-h----- C:\WINDOWS\rundl132.exe
2007-07-08 15:59 <DIR> dr-h----- C:\WINDOWS\Logo1_.exe
2007-07-08 15:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-08 14:03 19,456 --a------ C:\WINDOWS\SYSTEM32\SHQ.DLL
2007-07-08 13:58 20 --a------ C:\DOCUME~1\CUP\mhsha1.dat
2007-07-08 12:50 <DIR> d-------- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2007-07-08 11:32 <DIR> d-------- C:\WINDOWS\uninstall
2007-06-23 00:21 <DIR> d-------- C:\DOCUME~1\CUP\APPLIC~1\Arcsoft
2007-06-23 00:06 <DIR> d-------- C:\DOCUME~1\CUP\APPLIC~1\Leadertech
2007-06-23 00:02 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2007-06-20 11:29 <DIR> d-------- C:\WINDOWS\winsxs
2007-06-20 11:29 <DIR> d-------- C:\WINDOWS\PCHEALTH
2007-06-20 11:15 <DIR> d-------- C:\Program Files\Microsoft.NET


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 04:19:53 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-07-14 21:36:24 -------- d-----w C:\Program Files\Common Files\Real
2007-07-14 21:36:16 -------- d-----w C:\DOCUME~1\CUP\APPLIC~1\Real
2007-07-08 03:37:07 -------- d---a-w C:\Program Files\ewido anti-malware
2007-07-08 03:37:06 -------- d-----w C:\Program Files\Diablo II
2007-06-20 03:53:38 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-09 09:13:06 -------- d-----w C:\Program Files\Adaptec
2007-06-09 09:11:10 -------- d-----w C:\Program Files\DivX
2007-06-09 09:03:32 -------- d-----w C:\Program Files\Symantec
2007-06-09 08:57:28 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-09 08:49:43 -------- d---a-w C:\DOCUME~1\CUP\APPLIC~1\yahoo!
2007-06-09 08:47:29 -------- d-----w C:\Program Files\ICQLite
2007-06-08 15:07:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-06 13:24:55 -------- d-----w C:\DOCUME~1\CUP\APPLIC~1\HotSync
2007-06-06 13:23:53 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-02 01:10:57 -------- d-----w C:\Program Files\CoreCodec
2007-06-02 01:01:36 -------- d-----w C:\DOCUME~1\CUP\APPLIC~1\CoreCodec
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-28 07:04:42 197,632 ----a-w C:\WINDOWS\system32\acvtres32.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-02-09 14:16:29 1,940 ----a-w C:\DOCUME~1\CUP\APPLIC~1\ViewerApp.dat
2006-01-16 07:20:18 305 ---h--w C:\Program Files\desktop.ini
2006-01-16 07:18:26 21,952 ---h--w C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-12-18 04:16 59032 --a------ D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
07-05-19 02:17 452160 --a------ D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ D:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65F7F9CD-DAC0-45D2-9404-F0B2352536F3}]
07-05-28 15:04 197632 --a------ C:\WINDOWS\SYSTEM32\acvtres32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-04-21 01:22 ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3495D328-661A-4FB0-BA67-8ACDD1704D1E}"="C:\WINDOWS\system32\CSRSS.dll" []
"{0FC9D5BB-1D4C-493B-83CF-81DD3490F59E}"="C:\WINDOWS\system32\SysPro.dll" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SystemTray"=SysTray.Exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"iamapp"="C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MCI USB Icon"=C:\WINDOWS\system32\USBIcon.exe
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
"Microsoft Autorun14"=C:\WINDOWS\system32\ztinetzt.exe
"Microsoft Autorun7"=C:\WINDOWS\system32\nwizqjsj.exe
"Microsoft Autorun9"=C:\WINDOWS\system32\Ravasktao.exe
"RAV008C"=C:\WINDOWS\system32\RAV008C.exe
"SoundMan"=SOUNDMAN.EXE
"TIMHost"=C:\WINDOWS\TIMHost.exe
"wdfmgrnt"=C:\WINDOWS\system32\wdfmgrnt.exe
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{81716107-A10D-11cf-64CD-11115FE1CF41}
C:\WINDOWS\system32\nwizzhuxians.exe

Contents of the 'Scheduled Tasks' folder
2007-07-07 15:00:00 C:\WINDOWS\tasks\Tune-up Application Start.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 00:01:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-17 0:03:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-17 00:03

--- E O F ---



And finally, here's my fresh hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:39 AM, on 7/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 信息检索 - {65F7F9CD-DAC0-45D2-9404-F0B2352536F3} - C:\WINDOWS\SYSTEM32\acvtres32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O23 - Service: 2F005364 - Unknown owner - C:\WINDOWS\system32\2433E2CE.EXE (file missing)
O23 - Service: 5152E4F6 - Unknown owner - C:\WINDOWS\system32\F9CFDD4A.EXE (file missing)
O23 - Service: 917523AE - Unknown owner - C:\WINDOWS\system32\A286D9A.EXE (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: B64D0978 - Unknown owner - C:\WINDOWS\system32\5E023C42.EXE (file missing)
O23 - Service: C0770C8C - Unknown owner - C:\WINDOWS\system32\1A09DFBA.EXE (file missing)
O23 - Service: D549124 - Unknown owner - C:\WINDOWS\system32\6789D1D4.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Removableo (kbfzsxxz) - Unknown owner - C:\WINDOWS\system32\kbfzsxxz.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6082 bytes



I don't know if this information is relevant, but i'll post it anyway... yesterday, my pc refused to boot properly. it started looking for a boot disk. I restarted it a couple of times (under various bios settings) but nothing changed. Then earlier this evening, it booted normally. :thumbsup: hehe.

Thanks again for replying right away. :huh:



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 July 2007 - 03:34 PM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\QQA.EXE
C:\WINDOWS\c1c.exe
C:\WINDOWS\vDll.dll
C:\WINDOWS\rundl132.exe
C:\WINDOWS\Logo1_.exe
C:\WINDOWS\SYSTEM32\acvtres32.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-----------------------------------------------------

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service's called:
2F005364
5152E4F6
917523AE
B64D0978
C0770C8C
D549124
Removableo (kbfzsxxz)

In the next window that opens, click their 'Stop' buttons.
Then change their 'Startup Types' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

-----------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: 信息检索 - {65F7F9CD-DAC0-45D2-9404-F0B2352536F3} - C:\WINDOWS\SYSTEM32\acvtres32.dll
O23 - Service: 2F005364 - Unknown owner - C:\WINDOWS\system32\2433E2CE.EXE (file missing)
O23 - Service: 5152E4F6 - Unknown owner - C:\WINDOWS\system32\F9CFDD4A.EXE (file missing)
O23 - Service: 917523AE - Unknown owner - C:\WINDOWS\system32\A286D9A.EXE (file missing)
O23 - Service: B64D0978 - Unknown owner - C:\WINDOWS\system32\5E023C42.EXE (file missing)
O23 - Service: C0770C8C - Unknown owner - C:\WINDOWS\system32\1A09DFBA.EXE (file missing)
O23 - Service: D549124 - Unknown owner - C:\WINDOWS\system32\6789D1D4.EXE (file missing)
O23 - Service: Removableo (kbfzsxxz) - Unknown owner - C:\WINDOWS\system32\kbfzsxxz.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 pill

pill
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 17 July 2007 - 12:28 PM

1. Moved the files using OTmoveit. Didn't have to reboot.

2. stopped and disabled the listed processes under services.msc.

3. Installed and updated Superantispyware free version. (while updating, a window popped up saying that windows cannot access winword etc...). Closed the program after updating.

4. Launched Hijackthis, only this entry among the 8 mentioned was present:


O2 - BHO: 信息检索 - {65F7F9CD-DAC0-45D2-9404-F0B2352536F3} - C:\WINDOWS\SYSTEM32\acvtres32.dll

which appeared as:
O2 - BHO: - {65F7F9CD-DAC0-45D2-9404-F0B2352536F3} - no file.


Clicked on fix (closed browser windows before doing so).

5. Scanned PC using Superantispyware. While scanning, AVG (my anti-visrus program) detected the following threat, which it was able to heal:


C:\Program Files\Internet Explorer\PLUGINS\Sys\Win64.Sys (Worm/Delf.CYQ)



6. Superantispyware found 7 threats, disinfected the threats and asked for a reboot. Rebooted. Here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/18/2007 at 01:02 AM

Application Version : 3.9.1008

Core Rules Database Version : 3270
Trace Rules Database Version: 1281

Scan type : Complete Scan
Total Scan Time : 00:34:46

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 5085
Registry threats detected : 5
File items scanned : 22504
File threats detected : 2

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKCR\CLSID\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKCR\CLSID\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKCR\CLSID\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}\InProcServer32
HKCR\CLSID\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.SYS

Trojan.Downloader-SuperCenter
C:\DOCUMENTS AND SETTINGS\CUP\DOCTORWEB\QUARANTINE\WINZXW41.DLL


7. Fresh Hijackthis log after the reboot:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:01 AM, on 7/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HotSync Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = 58.69.254.4,58.69.254.9
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5628 bytes


It seems that the worm (Worm/Delf.CYQ) was still present despite having used Drwebcureit and all the other programs. Do you think Superantispyware was able to finally get rid of it?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 17 July 2007 - 02:18 PM

Well your log is clean,lets run the following:

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will start the program and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#7 pill

pill
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 20 July 2007 - 01:29 PM

Hello Richie :thumbsup: here's the kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 21, 2007 2:20:13 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/07/2007
Kaspersky Anti-Virus database records: 343217
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38425
Number of viruses found: 11
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 00:52:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\CUP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\History\History.IE5\MSHist012007072120070722\index.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CUP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\CUP\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\Internet Explorer\11Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.es skipped
C:\Program Files\Internet Explorer\12Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.qy skipped
C:\Program Files\Internet Explorer\13Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.xn skipped
C:\Program Files\Internet Explorer\16Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.qw skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\SysWin64.Jmp.vir Infected: Virus.Win32.AutoRun.en skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\RUNDLL32.exe.vir Infected: Trojan-PSW.Win32.Delf.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\603.exe.vir Infected: Backdoor.Win32.Agent.ahj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0001 Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0003 Infected: Trojan-Downloader.Win32.Banload.bpo skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0005 Infected: Trojan.Win32.Patched.v skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream Infected: Trojan.Win32.Patched.v skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir NSIS: infected - 5 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CUP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BA69ACB9-3C99-4A0A-BABD-F15A4B2B8F90}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\TEMP\ZLT060ef.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT060f6.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



I also did an extended scan:

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38411
Number of viruses found: 19
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 00:52:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\CUP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\3.exe Infected: not-a-virus:AdWare.Win32.Agent.ck skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\atusvt70.dll Infected: not-a-virus:AdWare.Win32.NewWeb.c skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\atusvt74.dll Infected: not-a-virus:AdWare.Win32.NewWeb.aa skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\balzxw41.sys Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\txvcmi34.sys Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\Documents and Settings\CUP\DoctorWeb\Quarantine\wincmi34.dll Infected: not-a-virus:AdWare.Win32.Agent.ck skipped
C:\Documents and Settings\CUP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CUP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CUP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\CUP\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\Internet Explorer\11Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.es skipped
C:\Program Files\Internet Explorer\12Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.qy skipped
C:\Program Files\Internet Explorer\13Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.xn skipped
C:\Program Files\Internet Explorer\16Sy.exe Infected: Trojan-PSW.Win32.OnLineGames.qw skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0005 Infected: not-a-virus:AdWare.Win32.Agent.ck skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0006 Infected: not-a-virus:AdWare.Win32.Agent.ck skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0007 Infected: not-a-virus:AdWare.Win32.NewWeb.aa skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0009 Infected: not-a-virus:AdWare.Win32.NewWeb.m skipped
C:\QooBox\Quarantine\C\20540.exe.vir/data0010 Infected: not-a-virus:AdWare.Win32.NewWeb.y skipped
C:\QooBox\Quarantine\C\20540.exe.vir NSIS: infected - 8 skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\SysWin64.Jmp.vir Infected: Virus.Win32.AutoRun.en skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\RUNDLL32.exe.vir Infected: Trojan-PSW.Win32.Delf.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\603.exe.vir Infected: Backdoor.Win32.Agent.ahj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\5.exe.vir/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\5.exe.vir/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\5.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\5.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0001 Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0003 Infected: Trojan-Downloader.Win32.Banload.bpo skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream/data0005 Infected: Trojan.Win32.Patched.v skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir/stream Infected: Trojan.Win32.Patched.v skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\7.exe.vir NSIS: infected - 5 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\balzxw41.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bz skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\acpidisk.sys.vir Infected: not-a-virus:AdWare.Win32.Cinmus.j skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CUP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BA69ACB9-3C99-4A0A-BABD-F15A4B2B8F90}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\TEMP\ZLT060ef.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT060f6.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users