Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Issues - Hijackthis Log Included


  • Please log in to reply
9 replies to this topic

#1 bandshirts

bandshirts

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 04 August 2007 - 09:37 PM

Hi!

My Status:
I'm running a fresh install of Windows XP home (no SP2, but other updates installed. I'm scared to do SP2 until these issues are resolved completely), with Shaw cablesytems' security package (F-Secure). I have recently reinstalled XP. A few other programs have been installed, but still far from a full average load of programs. These problems existed before the reformat/reinstall, and have seemed to get much worse since. I have followed the steps indicated in your preparing to post a log thread.

My problem:
IE is constantly besieged by popups. If I allow it access to the internet (it is currently blocked and I'm using firefox), I will immediately open dozens of popups, for various collections of ads. Also, what I assume is an entirely different malware type system periodically redirects browsers (including firefox) to one of 3 different "computer help" sites advertising their ability to fix the problem they themselves have inflicted upon me. I hate that. Finally, I am experiencing a fairly serious loss of system resources, manifested by a general slowdown of all programs.

My HT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:41 PM, on 8/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\nghcksxp.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)

--
End of file - 4057 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 05 August 2007 - 09:44 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum bandshirts :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Before we can provide you with any further assistance,you first need to go here and install Service Pack 1a;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Note:
Do not install Service Pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.
Posted Image
Posted Image

#3 bandshirts

bandshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 06 August 2007 - 11:20 PM

Thank you very much for responding, Richie.

I have installed Service pack 1a, but could not do so under a normal boot of Windows, so had to do it in safe mode. After rebooting to safe mode, the patch worked normally and successfully. However, I am still affected by the same issues of course. I will post a new log following:

LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:39 PM, on 8/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\xrrhpxes.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)

--
End of file - 4073 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 07 August 2007 - 07:28 AM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-----------------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

-----------------------------------------------

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 bandshirts

bandshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 10 August 2007 - 11:14 PM

OK, thanks for your continued help, Richie.

Since we last corresponded I had not been able to work on this issue for a couple days, but am back at it again. We have changed from the F-Secure package from shaw for security to a combination of AVG free virus protection and zonealarm firewall. I hope that change doesn't affect our progress here.

Here are the logs that you requested from the fixes you posted in your last reply.


COMBOFIX LOG:


ComboFix 07-08-11 - "Savile Row Tailors" 2007-08-10 21:01:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.311 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\SAVILE~1\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-10 21:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 20:53 <DIR> d-------- C:\VundoFix Backups
2007-08-10 20:29 120,852 --a------ C:\WINDOWS\system32\ieqhwwrs.dll
2007-08-10 20:14 75,284 --a------ C:\WINDOWS\system32\vqpqfiyu.exe
2007-08-09 20:18 75,284 --a------ C:\WINDOWS\system32\amleoffp.exe
2007-08-09 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-09 20:06 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-09 20:06 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-09 20:06 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-09 20:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-09 20:06 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-09 20:06 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-09 20:06 1,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-09 20:05 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-09 20:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-09 20:05 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-09 20:04 75,284 --a------ C:\WINDOWS\system32\cubkvfke.exe
2007-08-09 19:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-09 18:22 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-09 18:22 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-09 18:21 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-09 18:21 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-09 18:06 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-09 18:06 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-09 18:00 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-09 18:00 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-08 14:30 75,284 --a------ C:\WINDOWS\system32\txkmaaxo.exe
2007-08-08 11:52 1,572,864 --a------ C:\DOCUME~1\SAVILE~1\ntuser.dat
2007-08-06 21:04 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-06 20:56 <DIR> d-------- C:\WINDOWS\ehome
2007-08-06 20:51 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-08-06 20:51 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-08-06 20:51 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-08-06 20:51 921,475 --a------ C:\WINDOWS\system32\ati3d2ag.dll
2007-08-06 20:51 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-08-06 20:51 9,856 --a------ C:\WINDOWS\system32\drivers\tunmp.sys
2007-08-06 20:51 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-08-06 20:51 891,711 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-08-06 20:51 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-08-06 20:51 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-08-06 20:51 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-08-06 20:51 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-08-06 20:51 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-08-06 20:51 844,675 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-08-06 20:51 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-08-06 20:51 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-08-06 20:51 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-08-06 20:51 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-08-06 20:51 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-08-06 20:51 77,824 --a------ C:\WINDOWS\system32\wmpshell.dll
2007-08-06 20:51 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-08-06 20:51 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-08-06 20:51 71,168 --a------ C:\WINDOWS\system32\telnet.exe
2007-08-06 20:51 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-08-06 20:51 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-08-06 20:51 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-08-06 20:51 674,816 --a------ C:\WINDOWS\system32\sxs.dll
2007-08-06 20:51 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-08-06 20:51 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-08-06 20:51 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-08-06 20:51 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-08-06 20:51 63,663 --a------ C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-08-06 20:51 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-08-06 20:51 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-08-06 20:51 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-08-06 20:51 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-08-06 20:51 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-08-06 20:51 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-08-06 20:51 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-08-06 20:51 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-08-06 20:51 6,912 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2007-08-06 20:51 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-08-06 20:51 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2007-08-06 20:51 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-08-06 20:51 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-08-06 20:51 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-08-06 20:51 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-08-06 20:51 56,591 --a------ C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-08-06 20:51 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-08-06 20:51 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-08-06 20:51 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-08-06 20:51 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-08-06 20:51 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-08-06 20:51 511,488 --a------ C:\WINDOWS\system32\qedit.dll
2007-08-06 20:51 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-08-06 20:51 5,504 --a------ C:\WINDOWS\system32\drivers\smbali.sys
2007-08-06 20:51 5,120 --a------ C:\WINDOWS\system32\hccoin.dll
2007-08-06 20:51 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-08-06 20:51 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-08-06 20:51 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-08-06 20:51 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-08-06 20:51 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-08-06 20:51 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-08-06 20:51 450,176 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-08-06 20:51 446,464 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-08-06 20:51 442,398 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-08-06 20:51 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-08-06 20:51 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-08-06 20:51 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-08-06 20:51 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 20:09 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-09 20:09 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-06 20:58 2676 --a------ C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-07-30 20:14 8972 --a------ C:\WINDOWS\pchealth\HELPCTR\Config\Cntstore.bin


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CB23E8-0E39-44A5-9A2A-4907F1D47593}]
C:\WINDOWS\System32\pmnll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89D7187F-1019-497F-9174-8D70A7E07F16}]
2007-08-10 20:29 120852 --a------ C:\WINDOWS\System32\ieqhwwrs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 16:15]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 00:34 C:\WINDOWS\SOUNDMAN.EXE]
"Microsoft Network Associates"="c:\windows\system32\compact.exe" [2001-08-18 05:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-09 20:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 03:41]
"Microsoft Network Associates"="c:\windows\system32\compact.exe" [2001-08-18 05:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Network Associates"=c:\windows\system32\compact.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypta]
cryptsb.dll

S2 mshexdefx;ms hexidecimal defx;"C:\WINDOWS\system32\dllcache\ivchost.exe"
S4 M1crosoft Agant;M1crosoft Agant;"C:\WINDOWS\System32\dllcache\qhotsew.exe"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 21:04:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 21:05:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 21:05

--- E O F ---



VUNDOFIX LOG:


VundoFix V6.5.7

Checking Java version...

Scan started at 8:53:32 PM 8/10/2007

Listing files found while scanning....

C:\windows\system32\cvyqigww.dll
C:\windows\system32\fwumoobv.ini
C:\WINDOWS\System32\llnmp.bak1
C:\WINDOWS\System32\llnmp.bak2
C:\WINDOWS\System32\llnmp.ini
C:\WINDOWS\System32\llnmp.ini2
C:\WINDOWS\system32\mljhhhh.dll
C:\WINDOWS\System32\nyiystwx.dll
C:\WINDOWS\System32\pmnll.dll
C:\windows\system32\sexphrrx.ini
C:\WINDOWS\System32\smatkhvv.dll
C:\windows\system32\vboomuwf.dll
C:\windows\system32\wwgiqyvc.ini
C:\windows\system32\xrrhpxes.dll
C:\windows\system32\xwtsyiyn.ini

Beginning removal...

Attempting to delete C:\windows\system32\cvyqigww.dll
C:\windows\system32\cvyqigww.dll Has been deleted!

Attempting to delete C:\windows\system32\fwumoobv.ini
C:\windows\system32\fwumoobv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.bak1
C:\WINDOWS\System32\llnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.bak2
C:\WINDOWS\System32\llnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.ini
C:\WINDOWS\System32\llnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.ini2
C:\WINDOWS\System32\llnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhhhh.dll
C:\WINDOWS\system32\mljhhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\nyiystwx.dll
C:\WINDOWS\System32\nyiystwx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\pmnll.dll
C:\WINDOWS\System32\pmnll.dll Has been deleted!

Attempting to delete C:\windows\system32\sexphrrx.ini
C:\windows\system32\sexphrrx.ini Has been deleted!

Attempting to delete C:\windows\system32\vboomuwf.dll
C:\windows\system32\vboomuwf.dll Has been deleted!

Attempting to delete C:\windows\system32\wwgiqyvc.ini
C:\windows\system32\wwgiqyvc.ini Has been deleted!

Attempting to delete C:\windows\system32\xrrhpxes.dll
C:\windows\system32\xrrhpxes.dll Has been deleted!

Attempting to delete C:\windows\system32\xwtsyiyn.ini
C:\windows\system32\xwtsyiyn.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\nyiystwx.dll
C:\WINDOWS\System32\nyiystwx.dll Has been deleted!

Performing Repairs to the registry.
Done!


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:48 PM, on 8/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {61CB23E8-0E39-44A5-9A2A-4907F1D47593} - C:\WINDOWS\System32\pmnll.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89D7187F-1019-497F-9174-8D70A7E07F16} - C:\WINDOWS\System32\ieqhwwrs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Network Associates] c:\windows\system32\compact.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O20 - Winlogon Notify: crypta - cryptsb.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4076 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 11 August 2007 - 04:12 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop mshexdefx
sc delete mshexdefx

Restart your pc.

------------------------------------------------------

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ieqhwwrs.dll
C:\WINDOWS\system32\vqpqfiyu.exe
C:\WINDOWS\system32\amleoffp.exe
C:\WINDOWS\system32\cubkvfke.exe
C:\WINDOWS\system32\txkmaaxo.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61CB23E8-0E39-44A5-9A2A-4907F1D47593}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89D7187F-1019-497F-9174-8D70A7E07F16}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypta]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Network Associates"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Network Associates"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Network Associates"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 bandshirts

bandshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 11 August 2007 - 07:17 PM

ok, done and done. Here are some more logs :thumbsup:



COMBOFIX LOG W/COMMAND SWITCHES:

ComboFix 07-08-11 - "Savile Row Tailors" 2007-08-11 17:05:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1256.964.1033.18.309 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Savile Row Tailors\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ieqhwwrs.dll
C:\WINDOWS\system32\vqpqfiyu.exe
C:\WINDOWS\system32\amleoffp.exe
C:\WINDOWS\system32\cubkvfke.exe
C:\WINDOWS\system32\txkmaaxo.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\amleoffp.exe
C:\WINDOWS\system32\cubkvfke.exe
C:\WINDOWS\system32\ieqhwwrs.dll
C:\WINDOWS\system32\txkmaaxo.exe
C:\WINDOWS\system32\vqpqfiyu.exe


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-10 22:31 786,432 --ah----- C:\DOCUME~1\Arabic\NTUSER.DAT
2007-08-10 22:19 6,144 -ra------ C:\WINDOWS\system32\kbdinpun.dll
2007-08-10 22:19 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbdinpun.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdvntc.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdurdu.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdsyr2.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdsyr1.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdintel.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdintam.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdinmar.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdinkan.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdinhin.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdinguj.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdindev.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdheb.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbdfa.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbddiv2.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbddiv1.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbda3.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbda2.dll
2007-08-10 22:19 5,632 -ra------ C:\WINDOWS\system32\kbda1.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdvntc.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdusa.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdurdu.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdsyr2.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdsyr1.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdintel.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdintam.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdinmar.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdinkan.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdinhin.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdinguj.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdindev.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdheb.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdfa.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbddiv2.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbddiv1.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbda3.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbda2.dll
2007-08-10 22:19 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbda1.dll
2007-08-10 22:19 5,632 --a------ C:\WINDOWS\system32\kbdusa.dll
2007-08-10 22:19 5,120 -ra------ C:\WINDOWS\system32\kbdgeo.dll
2007-08-10 22:19 5,120 -ra------ C:\WINDOWS\system32\kbdarmw.dll
2007-08-10 22:19 5,120 -ra------ C:\WINDOWS\system32\kbdarme.dll
2007-08-10 22:19 5,120 --a--c--- C:\WINDOWS\system32\dllcache\kbdgeo.dll
2007-08-10 22:19 5,120 --a--c--- C:\WINDOWS\system32\dllcache\kbdarmw.dll
2007-08-10 22:19 5,120 --a--c--- C:\WINDOWS\system32\dllcache\kbdarme.dll
2007-08-10 22:19 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2007-08-10 22:19 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2007-08-10 22:19 185,344 --a--c--- C:\WINDOWS\system32\dllcache\thawbrkr.dll
2007-08-10 22:19 185,344 --a------ C:\WINDOWS\system32\Thawbrkr.dll
2007-08-10 22:19 10,752 --a--c--- C:\WINDOWS\system32\dllcache\c_iscii.dll
2007-08-10 22:19 10,752 --a------ C:\WINDOWS\system32\c_iscii.dll
2007-08-10 22:18 6,144 -ra------ C:\WINDOWS\system32\kbdth3.dll
2007-08-10 22:18 6,144 -ra------ C:\WINDOWS\system32\kbdth2.dll
2007-08-10 22:18 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbdth3.dll
2007-08-10 22:18 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbdth2.dll
2007-08-10 22:18 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftlx041e.dll
2007-08-10 22:18 6,144 --a------ C:\WINDOWS\system32\ftlx041e.dll
2007-08-10 22:18 5,632 -ra------ C:\WINDOWS\system32\kbdth1.dll
2007-08-10 22:18 5,632 -ra------ C:\WINDOWS\system32\kbdth0.dll
2007-08-10 22:18 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdth1.dll
2007-08-10 22:18 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbdth0.dll
2007-08-10 21:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-10 21:40 <DIR> d-------- C:\DOCUME~1\SAVILE~1\Contacts
2007-08-10 21:39 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-10 21:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 20:53 <DIR> d-------- C:\VundoFix Backups
2007-08-09 20:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-09 20:06 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-09 20:06 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-09 20:06 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-09 20:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-09 20:06 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-09 20:06 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-09 20:06 1,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-09 20:05 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-09 20:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-09 20:05 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-09 19:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-09 18:22 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-09 18:22 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-09 18:21 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-08-09 18:21 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-08-09 18:06 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-09 18:06 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-09 18:00 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-09 18:00 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-08 11:52 1,572,864 --a------ C:\DOCUME~1\SAVILE~1\ntuser.dat
2007-08-06 21:04 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-06 20:56 <DIR> d-------- C:\WINDOWS\ehome
2007-08-06 20:51 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-08-06 20:51 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-08-06 20:51 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-08-06 20:51 921,475 --a------ C:\WINDOWS\system32\ati3d2ag.dll
2007-08-06 20:51 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-08-06 20:51 9,856 --a------ C:\WINDOWS\system32\drivers\tunmp.sys
2007-08-06 20:51 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-08-06 20:51 891,711 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-08-06 20:51 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 20:09 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-09 20:09 1220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-06 20:58 2676 --a------ C:\WINDOWS\pchealth\HELPCTR\PackageStore\SkuStore.bin
2007-07-30 20:14 8972 --a------ C:\WINDOWS\pchealth\HELPCTR\Config\Cntstore.bin


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 16:15]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 00:34 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-09 20:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]

S4 M1crosoft Agant;M1crosoft Agant;"C:\WINDOWS\System32\dllcache\qhotsew.exe"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 17:08:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 17:09:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 17:09
C:\ComboFix2.txt ... 2007-08-10 21:05

--- E O F ---



NEW HJT LOG (POST FIX.BAT AND SWITCHED COMBOFIX):


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:51 PM, on 8/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3944 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 11 August 2007 - 07:36 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:

VundoFix.exe
Combofix.exe
fix.bat

C:\VundoFix Backups
C:\QooBox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 bandshirts

bandshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:25 PM

Posted 12 August 2007 - 12:59 AM

Thanks so much, everything appears to be ok now.

Can I proceed to install SP2 and update fully at this point?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 12 August 2007 - 05:02 AM

Can I proceed to install SP2 and update fully at this point?

Certainly,go ahead,let me know how you get on.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users