Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Am Infected And Need The Treatment


  • Please log in to reply
7 replies to this topic

#1 ttiger21

ttiger21

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 28 July 2007 - 11:46 PM

I think my computer has been infected with the following Locksky.nag, Smitfraud-c, Virtumond. This as found by adaware. They keep coming back when system is restarted. i have followed all the instructions, and only difference was to use AVG antivirus instead of one of the ones of the list. As far as i know the symptoms i'm having is popups, items missing from the notification area, like battery level, and sound control, won't let me access my drives a: or my dvd drive g: Even if i plug in and external drive, it's picked up in device manager, and through the usb connection manager. It won't show in my computer to access it. I don't know if this is all related, but just what i've noticed. This is my first major infestation, and not sure what to do, don't want to wipe the comp. Tried rebooting in safe mode, but took so long to load. system processes showed that winlogin was using 90-99% of processor, so most programs wouldn't work. When i try to use mozilla i get a window titled use internet explorer you dope witht the contents stating I dnt hate mozilla, but use IE or die. Also when i see what's starting up all the time, using adaware, i got the system startup report
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-07-26 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-07-25 Includes\Dialer.sbi
2007-07-11 Includes\Hijackers.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-07-25 Includes\Malware.sbi
2007-07-11 Includes\PUPS.sbi
2007-05-30 Includes\Security.sbi
2007-07-11 Includes\Spybots.sbi
2007-07-25 Includes\Trojans.sbi
2007-07-25 Includes\Cookies.sbi
2007-07-25 Includes\Revision.sbi
2005-02-17 Includes\Tracks.uti
2007-07-25 Includes\TrojansC.sbi
2007-07-25 Includes\SpybotsC.sbi
2007-07-25 Includes\SecurityC.sbi
2007-07-25 Includes\PUPSC.sbi
2007-07-25 Includes\MalwareC.sbi
2007-07-25 Includes\KeyloggersC.sbi
2007-07-25 Includes\HijackersC.sbi
2007-07-25 Includes\DialerC.sbi
2007-06-06 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 416256
MD5: 2200c98c049de1a7638ea0edba1c8882

Located: HK_LM:Run, CP32NOT
command: C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
file: C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
size: 53248
MD5: 39f9ca76b1da83a3a11af91014337480

Located: HK_LM:Run, HP Display Settings
command: C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
file:

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9c1c80bbf8e6044980890e2d2d91091c

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_CU:Run, CTFMON.EXE
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, H/PC Connection Agent
command: "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
file: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
size: 1207080
MD5: 5dd84df95d1177846b312f12cac4addf

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, TridentTVIcon
command:
file:

Located: HK_CU:Run, updateMgr
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
file:

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (user), Adobe Gamma.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: System.ini,  h 
command:  h 
file:  h 

Located: System.ini, instcat
command: instcat.dll
file: instcat.dll

Located: System.ini, ljjgfcy
command: ljjgfcy.dll
file: ljjgfcy.dll

Located: System.ini, tuvuu
command: C:\WINDOWS\system32\tuvuu.dll
file: C:\WINDOWS\system32\tuvuu.dll
size: 263220
MD5: abb4451a0bed0603f2cebf862cc7505b

Located: System.ini,   (DISABLED)
command:  
file:  

Located: System.ini,  (DISABLED)
command: 
file: 

Located: System.ini,   (DISABLED)
command:  
file:  

Located: System.ini, ljjgfcy (DISABLED)
command: ljjgfcy.dll
file: ljjgfcy.dll

Located: System.ini, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

When i try to delete the bottom 8 they always come back.
the following is my htj file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:26 AM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
C:\heap41a\svchost.exe
C:\heap41a\svchost.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B6BD2AD-0540-423D-94A9-56BAC3A5AEB7} - C:\WINDOWS\system32\nomtufyw.dll
O2 - BHO: (no name) - {50672ECD-DFEF-4A5B-A1BC-E9710A4476F7} - C:\WINDOWS\system32\tuvuu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54CBB12C-3481-4C5D-942D-4976C0F0A406} - C:\WINDOWS\system32\ljjgfcy.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {FBE6AEA8-2093-40E8-83BE-F78076ED1603} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify:  0 -  0 (file missing)
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: ljjgfcy - C:\WINDOWS\SYSTEM32\ljjgfcy.dll
O20 - Winlogon Notify: tuvuu - C:\WINDOWS\system32\tuvuu.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\sttfhqbo.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 7688 bytes
Anyhelp will be much appreciated, thank you in advance.

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 29 July 2007 - 05:45 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ttiger21 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

--------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 ttiger21

ttiger21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 29 July 2007 - 07:10 AM

Thank you for the reply, i have followed your instructions and am enclosing the following logs. It seems like it cleaned up a lot of stuff, only thing i noticed that is still there, is the not allowing me to use firefox with the before mentioned warning. Should i uninstall and reinstall? Should i rescan with all avg, adaware, and spybot ? I'll write more if i notice anything else as time goes on. Here are the logs

VUNDOFIX

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 4:40:52 PM 7/29/2007

Listing files found while scanning....

C:\windows\system32\dixkuylu.ini
C:\windows\system32\dlcvcopn.ini
C:\windows\system32\ecpulhmp.ini
C:\windows\system32\fjrbropn.dll
C:\windows\system32\ghraotmu.dll
C:\windows\system32\huvucono.dll
C:\windows\system32\hwrrulio.dll
C:\windows\system32\iyknncqr.dll
C:\windows\system32\kgpqptlo.dll
C:\windows\system32\klgborsy.ini
C:\windows\system32\kxxcfegv.ini
C:\WINDOWS\system32\ljjgfcy.dll
C:\windows\system32\mdxpkjao.dll
C:\windows\system32\npocvcld.dll
C:\windows\system32\nporbrjf.ini
C:\windows\system32\oilurrwh.ini
C:\windows\system32\oltpqpgk.ini
C:\windows\system32\onocuvuh.ini
C:\windows\system32\pmhlupce.dll
C:\windows\system32\rqcnnkyi.ini
C:\WINDOWS\system32\tiyhawjs.dll
C:\WINDOWS\system32\tuvuu.dll
C:\windows\system32\ulyukxid.dll
C:\windows\system32\umtoarhg.ini
C:\windows\system32\umtoarhg.ini2
C:\windows\system32\umtoarhg.tmp
C:\windows\system32\uuvut.bak1
C:\windows\system32\uuvut.bak2
C:\windows\system32\uuvut.ini
C:\windows\system32\vgefcxxk.dll
C:\windows\system32\ysrobglk.dll

Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 4:45:03 PM 7/29/2007

Listing files found while scanning....

C:\windows\system32\dixkuylu.ini
C:\windows\system32\dlcvcopn.ini
C:\windows\system32\ecpulhmp.ini
C:\windows\system32\fjrbropn.dll
C:\windows\system32\ghraotmu.dll
C:\windows\system32\huvucono.dll
C:\windows\system32\hwrrulio.dll
C:\windows\system32\iyknncqr.dll
C:\windows\system32\kgpqptlo.dll
C:\windows\system32\klgborsy.ini
C:\windows\system32\kxxcfegv.ini
C:\WINDOWS\system32\ljjgfcy.dll
C:\windows\system32\mdxpkjao.dll
C:\windows\system32\npocvcld.dll
C:\windows\system32\nporbrjf.ini
C:\windows\system32\oilurrwh.ini
C:\windows\system32\oltpqpgk.ini
C:\windows\system32\onocuvuh.ini
C:\windows\system32\pmhlupce.dll
C:\windows\system32\rqcnnkyi.ini
C:\WINDOWS\system32\tiyhawjs.dll
C:\WINDOWS\system32\tuvuu.dll
C:\windows\system32\ulyukxid.dll
C:\windows\system32\umtoarhg.ini
C:\windows\system32\umtoarhg.ini2
C:\windows\system32\umtoarhg.tmp
C:\windows\system32\uuvut.bak1
C:\windows\system32\uuvut.bak2
C:\windows\system32\uuvut.ini
C:\windows\system32\vgefcxxk.dll
C:\windows\system32\ysrobglk.dll

Beginning removal...

Attempting to delete C:\windows\system32\dixkuylu.ini
C:\windows\system32\dixkuylu.ini Has been deleted!

Attempting to delete C:\windows\system32\dlcvcopn.ini
C:\windows\system32\dlcvcopn.ini Has been deleted!

Attempting to delete C:\windows\system32\ecpulhmp.ini
C:\windows\system32\ecpulhmp.ini Has been deleted!

Attempting to delete C:\windows\system32\fjrbropn.dll
C:\windows\system32\fjrbropn.dll Has been deleted!

Attempting to delete C:\windows\system32\ghraotmu.dll
C:\windows\system32\ghraotmu.dll Has been deleted!

Attempting to delete C:\windows\system32\huvucono.dll
C:\windows\system32\huvucono.dll Has been deleted!

Attempting to delete C:\windows\system32\hwrrulio.dll
C:\windows\system32\hwrrulio.dll Has been deleted!

Attempting to delete C:\windows\system32\iyknncqr.dll
C:\windows\system32\iyknncqr.dll Has been deleted!

Attempting to delete C:\windows\system32\kgpqptlo.dll
C:\windows\system32\kgpqptlo.dll Has been deleted!

Attempting to delete C:\windows\system32\klgborsy.ini
C:\windows\system32\klgborsy.ini Has been deleted!

Attempting to delete C:\windows\system32\kxxcfegv.ini
C:\windows\system32\kxxcfegv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjgfcy.dll
C:\WINDOWS\system32\ljjgfcy.dll Has been deleted!

Attempting to delete C:\windows\system32\mdxpkjao.dll
C:\windows\system32\mdxpkjao.dll Has been deleted!

Attempting to delete C:\windows\system32\npocvcld.dll
C:\windows\system32\npocvcld.dll Has been deleted!

Attempting to delete C:\windows\system32\nporbrjf.ini
C:\windows\system32\nporbrjf.ini Has been deleted!

Attempting to delete C:\windows\system32\oilurrwh.ini
C:\windows\system32\oilurrwh.ini Has been deleted!

Attempting to delete C:\windows\system32\oltpqpgk.ini
C:\windows\system32\oltpqpgk.ini Has been deleted!

Attempting to delete C:\windows\system32\onocuvuh.ini
C:\windows\system32\onocuvuh.ini Has been deleted!

Attempting to delete C:\windows\system32\pmhlupce.dll
C:\windows\system32\pmhlupce.dll Has been deleted!

Attempting to delete C:\windows\system32\rqcnnkyi.ini
C:\windows\system32\rqcnnkyi.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvuu.dll
C:\WINDOWS\system32\tuvuu.dll Has been deleted!

Attempting to delete C:\windows\system32\ulyukxid.dll
C:\windows\system32\ulyukxid.dll Has been deleted!

Attempting to delete C:\windows\system32\umtoarhg.ini
C:\windows\system32\umtoarhg.ini Has been deleted!

Attempting to delete C:\windows\system32\umtoarhg.ini2
C:\windows\system32\umtoarhg.ini2 Has been deleted!

Attempting to delete C:\windows\system32\umtoarhg.tmp
C:\windows\system32\umtoarhg.tmp Has been deleted!

Attempting to delete C:\windows\system32\uuvut.bak1
C:\windows\system32\uuvut.bak1 Has been deleted!

Attempting to delete C:\windows\system32\uuvut.bak2
C:\windows\system32\uuvut.bak2 Has been deleted!

Attempting to delete C:\windows\system32\uuvut.ini
C:\windows\system32\uuvut.ini Has been deleted!

Attempting to delete C:\windows\system32\vgefcxxk.dll
C:\windows\system32\vgefcxxk.dll Has been deleted!

Attempting to delete C:\windows\system32\ysrobglk.dll
C:\windows\system32\ysrobglk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 4:58:52 PM 7/29/2007

Listing files found while scanning....


******************************COMBOFIX************************************

ComboFix 07-07-28.5 - "Franklin Moses" 2007-07-29 17:04:55.1 [GMT 5.5:30] - FAT32
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\odhycpim.dll
C:\WINDOWS\system32\qwytcqrg.dll
C:\WINDOWS\system32\jwjqlrkm.dll
C:\WINDOWS\system32\ktmehxod.dll
C:\WINDOWS\system32\grqctywq.ini
C:\WINDOWS\system32\mkrlqjwj.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\instcat.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-29 17:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 16:49 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-07-29 16:40 <DIR> d-------- C:\VundoFix Backups
2007-07-29 16:38 <DIR> d--hs---- C:\FOUND.016
2007-07-28 23:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 17:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-27 11:35 <DIR> d--hs---- C:\heap41a
2007-07-27 10:38 <DIR> d--hs---- C:\FOUND.015
2007-07-25 19:57 <DIR> d-------- C:\WINDOWS\pss
2007-07-25 15:40 125,972 --------- C:\WINDOWS\system32\cpdbusxj.dll
2007-07-25 15:27 <DIR> d--hs---- C:\FOUND.014
2007-07-25 13:18 125,972 --a------ C:\WINDOWS\system32\ktpenawo.dll
2007-07-23 22:58 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-23 19:08 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-23 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 17:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-23 15:05 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-07-23 15:05 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-19 12:47 110,612 --a------ C:\WINDOWS\system32\nomtufyw.dll
2007-07-15 13:28 <DIR> d-------- C:\Program Files\WMR11
2007-07-14 15:11 <DIR> d-------- C:\Skyscape
2007-07-14 07:49 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-07-14 07:48 <DIR> d-------- C:\WINDOWS\Skyscape
2007-07-14 07:48 <DIR> d-------- C:\Program Files\Skyscape
2007-07-14 07:48 <DIR> d-------- C:\Program Files\Common Files\Skyscape
2007-07-11 20:38 <DIR> d-------- C:\DOCUME~1\FRANKL~1\Incomplete
2007-07-11 20:37 <DIR> d-------- C:\DOCUME~1\FRANKL~1\APPLIC~1\LimeWire
2007-07-11 20:23 <DIR> d-------- C:\Program Files\LimeWire
2007-07-02 21:42 88,528 --a------ C:\WINDOWS\system32\sszlib_pc.dll
2007-07-02 21:42 338,384 --a------ C:\WINDOWS\system32\JS32CE_pc.dll
2007-07-02 21:42 3,459,536 --a------ C:\WINDOWS\system32\ssartworkz_pc.dll
2007-07-02 21:42 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-07-02 21:42 174,544 --a------ C:\WINDOWS\system32\Archimedes_pc.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 18:50 660 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-06-12 00:50 --------- d-------- C:\DOCUME~1\FRANKL~1\APPLIC~1\vlc
2007-06-08 23:32 --------- d-------- C:\Program Files\Binaryfish
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B6BD2AD-0540-423D-94A9-56BAC3A5AEB7}]
2007-07-19 12:47 110612 --a------ C:\WINDOWS\system32\nomtufyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C2B5A4-3353-4A8A-A349-14E13A3CFFE4}]
C:\WINDOWS\system32\tuvuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBE6AEA8-2093-40E8-83BE-F78076ED1603}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"CP32NOT"="C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE" [2001-08-13 16:23]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe" [2001-07-26 17:10]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-05-02 17:07]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 12:00]
"TridentTVIcon"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\Franklin Moses\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"status"=present
"winlogon"=C:\heap41a\svchost.exe C:\heap41a\std.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 allegro;ESS Allegro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 Edspport;EDSP Port Driver;C:\WINDOWS\system32\DRIVERS\es56cvmp.sys
R3 EN5251;Accton EN5251 Series Chip Based Fast Ethernet Adapter Win2000 Driver;C:\WINDOWS\system32\DRIVERS\EN5251N5.SYS
R3 HPCI;HP Configuration Interface;C:\WINDOWS\system32\DRIVERS\hpci.sys
R3 KBFiltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\KBFiltr.sys
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 USB_RNDIS_51;USB Remote NDIS Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98a4de60-3c06-11dc-ba16-00d0597ae5ab}]
Auto\command- H:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 17:12:06
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TridentTVIcon = ???w@a??????D??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 17:14:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-29 17:14

--- E O F ---

*************************************HJT**********************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:46 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
C:\heap41a\svchost.exe
C:\heap41a\svchost.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B6BD2AD-0540-423D-94A9-56BAC3A5AEB7} - C:\WINDOWS\system32\nomtufyw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82C2B5A4-3353-4A8A-A349-14E13A3CFFE4} - C:\WINDOWS\system32\tuvuu.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {FBE6AEA8-2093-40E8-83BE-F78076ED1603} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify:  0 -  0 (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 7272 bytes


These are the logs. The only problem i had was vundofix, when i ran it spybot sdhelper was running so it said it had denied the registry changes. but in the log files it says it was completed. I also rand vundofix again and it didn't find anything. I hope that this did not cause a problem. Thanks

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 29 July 2007 - 07:27 AM

Copy and paste ALL the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\cpdbusxj.dll
C:\WINDOWS\system32\ktpenawo.dll
C:\WINDOWS\system32\nomtufyw.dll

Folder::
C:\heap41a

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B6BD2AD-0540-423D-94A9-56BAC3A5AEB7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82C2B5A4-3353-4A8A-A349-14E13A3CFFE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBE6AEA8-2093-40E8-83BE-F78076ED1603}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"status"=-
"winlogon"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 ttiger21

ttiger21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 29 July 2007 - 08:08 PM

Here are the logs from the next step
ComboFix 07-07-28.5 - "Franklin Moses" 2007-07-29 18:02:33.2 [GMT 5.5:30] - FAT32
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Franklin Moses\Desktop\CFSCRIPT.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\heap41a
C:\heap41a\2.mp3
C:\heap41a\drivelist.txt
C:\heap41a\Icon.ico
C:\heap41a\offspring\autorun.inf
C:\heap41a\offspring\MicrosoftPowerPoint.exe
C:\heap41a\reproduce.txt
C:\heap41a\script1.txt
C:\heap41a\std.txt
C:\heap41a\svchost.exe
C:\WINDOWS\system32\cpdbusxj.dll
C:\WINDOWS\system32\ktpenawo.dll
C:\WINDOWS\system32\nomtufyw.dll


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-29 17:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 16:49 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-07-29 16:40 <DIR> d-------- C:\VundoFix Backups
2007-07-29 16:38 <DIR> d--hs---- C:\FOUND.016
2007-07-28 23:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 17:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-27 10:38 <DIR> d--hs---- C:\FOUND.015
2007-07-25 19:57 <DIR> d-------- C:\WINDOWS\pss
2007-07-25 15:27 <DIR> d--hs---- C:\FOUND.014
2007-07-23 22:58 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-23 19:08 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-23 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 17:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-23 15:05 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-07-23 15:05 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-15 13:28 <DIR> d-------- C:\Program Files\WMR11
2007-07-14 15:11 <DIR> d-------- C:\Skyscape
2007-07-14 07:49 724,992 --a------ C:\WINDOWS\iun6002.exe
2007-07-14 07:48 <DIR> d-------- C:\WINDOWS\Skyscape
2007-07-14 07:48 <DIR> d-------- C:\Program Files\Skyscape
2007-07-14 07:48 <DIR> d-------- C:\Program Files\Common Files\Skyscape
2007-07-11 20:38 <DIR> d-------- C:\DOCUME~1\FRANKL~1\Incomplete
2007-07-11 20:37 <DIR> d-------- C:\DOCUME~1\FRANKL~1\APPLIC~1\LimeWire
2007-07-11 20:23 <DIR> d-------- C:\Program Files\LimeWire
2007-07-02 21:42 88,528 --a------ C:\WINDOWS\system32\sszlib_pc.dll
2007-07-02 21:42 338,384 --a------ C:\WINDOWS\system32\JS32CE_pc.dll
2007-07-02 21:42 3,459,536 --a------ C:\WINDOWS\system32\ssartworkz_pc.dll
2007-07-02 21:42 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-07-02 21:42 174,544 --a------ C:\WINDOWS\system32\Archimedes_pc.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 18:50 660 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-06-12 00:50 --------- d-------- C:\DOCUME~1\FRANKL~1\APPLIC~1\vlc
2007-06-08 23:32 --------- d-------- C:\Program Files\Binaryfish
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"CP32NOT"="C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE" [2001-08-13 16:23]
"HP Display Settings"="C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe" [2001-07-26 17:10]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-05-02 17:07]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 12:00]
"TridentTVIcon"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\Franklin Moses\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 allegro;ESS Allegro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 Edspport;EDSP Port Driver;C:\WINDOWS\system32\DRIVERS\es56cvmp.sys
R3 EN5251;Accton EN5251 Series Chip Based Fast Ethernet Adapter Win2000 Driver;C:\WINDOWS\system32\DRIVERS\EN5251N5.SYS
R3 HPCI;HP Configuration Interface;C:\WINDOWS\system32\DRIVERS\hpci.sys
R3 KBFiltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\KBFiltr.sys
R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 USB_RNDIS_51;USB Remote NDIS Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98a4de60-3c06-11dc-ba16-00d0597ae5ab}]
Auto\command- H:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 18:06:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\WINDOWS\system32\cmd.exe [2124] 0x8232D7E8


scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TridentTVIcon = ???w@a??????D??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 18:08:18
C:\ComboFix-quarantined-files.txt ... 2007-07-29 18:08
C:\ComboFix2.txt ... 2007-07-29 17:14

--- E O F ---

*****************************************HTJ*********************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:42 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 6634 bytes

What should i do next?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 29 July 2007 - 08:24 PM

Please disable Spybot S&Ds protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

----------------------------------------------------

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

----------------------------------------------------

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
fix.bat
VundoFix.exe
Combofix.exe

C:\VundoFix Backups
C:\QOOBOX

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

---------------------------------------------------

Enable Spybot S&Ds protection.

---------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

---------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 ttiger21

ttiger21
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 30 July 2007 - 08:36 PM

Hi thanks so much for the help. Only one more problem that i'm having but not sure if it's related to this, but i can't connect to certain sites. Started after my last reset, after cleaning. Particularly yahoo that i noticed so far. Also i couldn't connect to this site as well, but was able to go through google search and connect somehow, that's why wasn't able to leave a mesage earlier. if i type bleeping computer.com it doesn't come up, but when i come around using another link to the site, i'm able to get in. Also my yahoo messenger won't connect, or my e-mail sync with outlook. One thing i did notice is that some sites come up with their prefix ip number in the address line of google or explorer. like http://xxx.xx.xx.x/domain name which never happened before. I just tried typing in the ip address for yahoo (69.147.114.210) and it loaded, but still would get an error when trying to open the mail page. any suggestions? also i noticed the following line coming back even though i use htj to delete it
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Edited by ttiger21, 30 July 2007 - 09:58 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 31 July 2007 - 06:23 AM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall Spybot Search & Destroy,then restart your pc.
We can reinstall it later.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
----------------------------------------------------------

Click on Start/Run, type CMD then press Ok.
At the Command Prompt copy and paste the following bold text below,then press Enter
NETSH WINSOCK RESET

Then copy and paste ipconfig /flushdns press Enter again.
Then type EXIT press Enter,then restart your pc.

Post a new Hijackthis log into your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users