Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kloweb Winantiviruspro, Possibly Other Infections


  • Please log in to reply
3 replies to this topic

#1 Marrahki

Marrahki

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 14 July 2007 - 05:22 PM

Hello,
My computer is currently plagued with malware. I experience constant popups usually from Outerinfo or Winantivirus pro. AVG resident shield recently detected and healed a file containing Kloweb trojan.

Included is my HijackThis log. Thanks in advance!


Logfile of HijackThis v1.99.1
Scan saved at 3:20:15 PM, on 7/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\?icrosoft\n?lookup.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\ysuugdsc.dll",forkonce
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\SMANTE~1\wucrtupd.exe" -vt ndrv
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171144515671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 14 July 2007 - 06:57 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Marrahki :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if any happen to be malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don’t.

---------------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

---------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


---------------------------------------------

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Marrahki

Marrahki
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 14 July 2007 - 09:02 PM

Thanks so much for the speedy response Richie. You and your entire team are incredible!!
I followed your instructions and here are the requested log files.

Vundofix:

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 5:52:33 PM 7/14/2007

Listing files found while scanning....

C:\windows\system32\acewcbju.dll
C:\windows\system32\csdguusy.ini
C:\windows\system32\ctugiviv.dll
C:\windows\system32\dmqtvuwi.ini
C:\windows\system32\gftpwisv.dll
C:\windows\system32\hcpqbfvq.dll
C:\windows\system32\ijnsgwsn.ini
C:\windows\system32\iwuvtqmd.dll
C:\windows\system32\nswgsnji.dll
C:\windows\system32\opnlkig.dll
C:\WINDOWS\System32\pmkjj.dll
C:\windows\system32\qvfbqpch.ini
C:\windows\system32\rsvkoobt.ini
C:\WINDOWS\System32\ssqpq.dll
C:\windows\system32\tbookvsr.dll
C:\windows\system32\ujbcweca.ini
C:\windows\system32\vivigutc.ini
C:\windows\system32\vsiwptfg.ini
C:\WINDOWS\System32\ysuugdsc.dll

Beginning removal...

Attempting to delete C:\windows\system32\acewcbju.dll
C:\windows\system32\acewcbju.dll Has been deleted!

Attempting to delete C:\windows\system32\csdguusy.ini
C:\windows\system32\csdguusy.ini Has been deleted!

Attempting to delete C:\windows\system32\ctugiviv.dll
C:\windows\system32\ctugiviv.dll Has been deleted!

Attempting to delete C:\windows\system32\dmqtvuwi.ini
C:\windows\system32\dmqtvuwi.ini Has been deleted!

Attempting to delete C:\windows\system32\gftpwisv.dll
C:\windows\system32\gftpwisv.dll Has been deleted!

Attempting to delete C:\windows\system32\hcpqbfvq.dll
C:\windows\system32\hcpqbfvq.dll Has been deleted!

Attempting to delete C:\windows\system32\ijnsgwsn.ini
C:\windows\system32\ijnsgwsn.ini Has been deleted!

Attempting to delete C:\windows\system32\iwuvtqmd.dll
C:\windows\system32\iwuvtqmd.dll Has been deleted!

Attempting to delete C:\windows\system32\nswgsnji.dll
C:\windows\system32\nswgsnji.dll Has been deleted!

Attempting to delete C:\windows\system32\opnlkig.dll
C:\windows\system32\opnlkig.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\pmkjj.dll
C:\WINDOWS\System32\pmkjj.dll Could not be deleted.

Attempting to delete C:\windows\system32\qvfbqpch.ini
C:\windows\system32\qvfbqpch.ini Has been deleted!

Attempting to delete C:\windows\system32\rsvkoobt.ini
C:\windows\system32\rsvkoobt.ini Has been deleted!

Attempting to delete C:\windows\system32\tbookvsr.dll
C:\windows\system32\tbookvsr.dll Has been deleted!

Attempting to delete C:\windows\system32\ujbcweca.ini
C:\windows\system32\ujbcweca.ini Has been deleted!

Attempting to delete C:\windows\system32\vivigutc.ini
C:\windows\system32\vivigutc.ini Has been deleted!

Attempting to delete C:\windows\system32\vsiwptfg.ini
C:\windows\system32\vsiwptfg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ysuugdsc.dll
C:\WINDOWS\System32\ysuugdsc.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\pmkjj.dll
C:\WINDOWS\System32\pmkjj.dll Has been deleted!

Performing Repairs to the registry.
Done!



Combofix:
"Eric Stone" - 2007-07-14 18:00:31 - ComboFix 07-07-14.6 - Service Pack 1 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aapjfgtx.dll
C:\WINDOWS\system32\gxtrvjiw.dll
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\qpqss.tmp
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.bak2
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\qpqss.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\nkwncvkg1.exe
C:\nkwncvkg2.exe
C:\nkwncvkg3.exe
C:\Program Files\Common Files\smante~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1\n?lookup.exe
C:\WINDOWS\system32\vllblslv.dll
C:\WINDOWS\system32\wnscpicomsv.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-14 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 17:52 <DIR> d-------- C:\VundoFix Backups
2007-07-14 15:12 8,576 --a------ C:\WINDOWS\system32\drivers\nbrqytekiium.sys
2007-07-14 15:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-12 21:40 <DIR> d-------- C:\Razorworks
2007-07-11 18:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-07-11 18:01 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-11 17:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-11 17:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 17:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-11 15:01 66,624 --a------ C:\WINDOWS\system32\hxrnpynb.dll
2007-07-07 16:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-07 16:46 <DIR> d-------- C:\Program Files\Real
2007-07-07 16:46 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-07 16:46 <DIR> d-------- C:\DOCUME~1\ERICST~1\APPLIC~1\Real
2007-06-29 18:55 <DIR> d-------- C:\Python25
2007-06-29 15:19 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-06-29 15:10 <DIR> d-------- C:\Program Files\PowerISO
2007-06-29 14:46 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-06-28 20:48 <DIR> d-------- C:\DOCUME~1\ERICST~1\APPLIC~1\uTorrent
2007-06-28 20:32 <DIR> d-------- C:\Program Files\MagicISO
2007-06-27 21:35 <DIR> d-------- C:\DOCUME~1\ERICST~1\APPLIC~1\Samsung
2007-06-27 21:34 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2007-06-27 21:34 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2007-06-27 21:33 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2007-06-27 21:33 <DIR> d-------- C:\Program Files\Samsung
2007-06-27 21:17 <DIR> d-------- C:\Program Files\SendToPhone
2007-06-27 21:09 <DIR> d-------- C:\Program Files\Audio MP3 Editor
2007-06-26 10:18 <DIR> d-------- C:\Program Files\UltraISO
2007-06-22 20:48 <DIR> d-------- C:\Team17
2007-06-22 07:38 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-06-22 07:32 <DIR> d-------- C:\ijji


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 00:57:09 -------- d-----w C:\DOCUME~1\ERICST~1\APPLIC~1\Azureus
2007-07-14 03:46:12 -------- d-----w C:\Program Files\Steam
2007-07-13 03:50:14 -------- d-----w C:\Program Files\EA GAMES
2007-06-29 22:19:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 05:30:42 -------- d-----w C:\Program Files\Windows NT
2007-06-19 04:23:12 -------- d-----w C:\Program Files\Project64 1.6
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 22:06:17 35,115 ----a-w C:\WINDOWS\DIIUnin.dat
2007-06-04 14:28:33 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-04 14:28:33 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-04 14:28:33 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-04 14:27:41 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-06-04 14:27:41 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-05-30 03:06:10 -------- d-----w C:\Program Files\Online Services
2007-05-29 14:23:41 -------- d-----w C:\Program Files\GraphCalc
2007-05-24 02:53:51 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-22 23:42:18 -------- d-----w C:\DOCUME~1\ERICST~1\APPLIC~1\MilkShape 3D 1.x.x
2007-05-22 03:39:37 -------- d-----w C:\Program Files\MilkShape 3D 1.8.0
2007-05-18 01:12:46 -------- d-----w C:\Program Files\wowmodelview
2007-04-18 15:51:20 2,113,536 ----a-w C:\WINDOWS\system32\python25.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-23 00:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18351E3E-5121-4D77-8340-CA0551D0E789}]
C:\WINDOWS\System32\pmkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2006-12-08 18:45 243016 --a------ C:\Program Files\GetRight\xx2gr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-07-26 03:17 434279 --a------ C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2220960-3CB1-4A3F-8261-71528CD41CC3}]
C:\WINDOWS\System32\ssqpq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-20 21:00]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 05:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-11 17:46]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 17:18]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq]
C:\WINDOWS\System32\ssqpq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
winuns32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Eric Stone^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Eric Stone\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"Messenger"=2 (0x2)
"gusvc"=2 (0x2)
"ERSvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

Contents of the 'Scheduled Tasks' folder
2007-07-10 21:32:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 18:36:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\tompack\SDB\bin\mysqld-nt\" --defaults-file=\"C:\tompack\SDB\my.ini\" MySQL"

Completion time: 2007-07-14 18:37:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-14 18:37

--- E O F ---


Finally the new abc.bat log :thumbsup: Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 6:56:13 PM, on 7/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\HijackThis\abc.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18351E3E-5121-4D77-8340-CA0551D0E789} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {B2220960-3CB1-4A3F-8261-71528CD41CC3} - C:\WINDOWS\System32\ssqpq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171144515671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\System32\ssqpq.dll (file missing)
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


The computer does seem to be running smoother as I write this. No popups or unexplained processes that I can see.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 15 July 2007 - 08:07 AM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\nbrqytekiium.sys
C:\WINDOWS\system32\hxrnpynb.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-------------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {18351E3E-5121-4D77-8340-CA0551D0E789} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {B2220960-3CB1-4A3F-8261-71528CD41CC3} - C:\WINDOWS\System32\ssqpq.dll (file missing)
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\System32\ssqpq.dll (file missing)
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

------------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users