Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo, Virtumonde Came Back.


  • Please log in to reply
9 replies to this topic

#1 tekken5guy

tekken5guy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 August 2007 - 01:42 AM

About a month ago I had recovered from Outerinfo, and other things of the sort when today out of NOWHERE, it came back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:20 AM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\jczxgbyA.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DOCUME~1\HOME\MYDOCU~1\CROSOF~1.NET\iexplore.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\windows\system32\mkdsregj.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\pwinlndt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HOME\My Documents\?dobe\?serinit.exe
C:\Program Files\Safari\Safari.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3793EAE0-6500-4628-8666-ADB4A3CE046D} - C:\WINDOWS\system32\ddccc.dll
O2 - BHO: (no name) - {428D8FCF-660D-41FD-2B76-3DB67A4BFEED} - C:\WINDOWS\system32\niye.dll
O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin1.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqpqpm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jczxgbyA] C:\WINDOWS\jczxgbyA.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{90-06-68-8F-ZN}] c:\windows\system32\mkdsregj.exe SKY009
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\HOME\MYDOCU~1\CROSOF~1.NET\iexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Vkuq] "C:\Documents and Settings\HOME\My Documents\?dobe\?serinit.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinlndt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157068384062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168737012656
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O20 - AppInit_DLLs: sockspy.dll c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: ssqpqpm - C:\WINDOWS\SYSTEM32\ssqpqpm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jczxgby.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtesej.html

--
End of file - 8139 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 07 August 2007 - 08:23 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tekken5guy :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 tekken5guy

tekken5guy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 August 2007 - 12:38 PM

ComboFix 07-08-07.6 - "HOME" 2007-08-07 13:04:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HOME\MYDOCU~1.\crosof~1.net
C:\DOCUME~1\HOME\MYDOCU~1.\crosof~1.net\iexplore.exe
C:\DOCUME~1\HOME\MYDOCU~1.\dobe~1
C:\DOCUME~1\HOME\MYDOCU~1.\dobe~1\?serinit.exe
C:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\ghg\mexobakit4444.dll
C:\Program Files\ghg\mexobakit83122.dll
C:\Program Files\inetget2
C:\Program Files\MSN Gaming Zone\rtesej.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070807-023818-257.dll
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070807-023820-649.dll
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\cccdd.tmp
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\niye.dll
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wapisvcc32.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 03:11 14 --a------ C:\DOCUME~1\HOME\getfile.dat
2007-08-07 00:28 400,500 --a------ C:\TEMP\bass.exe
2007-08-07 00:26 <DIR> d-------- C:\WINDOWS\system32\f06WtR
2007-08-07 00:11 192,622 --a------ C:\WINDOWS\system32\pwinlndt.exe
2007-08-06 23:29 876,352 -r-hs---- C:\WINDOWS\jczxgbyA.exe
2007-08-06 23:29 31,254 --a------ C:\WINDOWS\system32\ssqpqpm.dll
2007-08-06 23:29 <DIR> d--h----- C:\Program Files\BHO
2007-08-06 23:29 <DIR> d-------- C:\WINDOWS\system32\f02WtR
2007-08-06 23:29 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-06 23:29 <DIR> d-------- C:\TEMP\fse
2007-08-06 23:29 <DIR> d-------- C:\TEMP\1cb
2007-08-05 14:52 <DIR> d-------- C:\Program Files\iPod
2007-07-21 13:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-21 01:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 01:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 23:14 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-20 22:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 14:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-15 14:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-15 14:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 14:36 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 13:18 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-08-07 13:18 --------- d-------- C:\Program Files\ghg
2007-08-07 00:06 61440 --a------ C:\WINDOWS\system32\sockspy.dll
2007-08-05 14:53 --------- d-------- C:\Program Files\Safari
2007-08-05 14:52 --------- d-------- C:\Program Files\iTunes
2007-07-21 15:05 --------- d-------- C:\Program Files\Palm
2007-07-21 15:03 --------- d-------- C:\Program Files\Messenger
2007-07-21 14:59 --------- d-------- C:\Program Files\Last.fm
2007-07-21 14:46 --------- d-------- C:\Program Files\Bonjour
2007-07-18 23:02 333644 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-07-03 13:43 --------- d-------- C:\Program Files\DjToneXpress
2007-07-03 13:42 --------- d-------- C:\Program Files\VstPlugins
2007-07-03 13:42 --------- d-------- C:\Program Files\Image-Line
2007-06-23 22:32 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\Apple Computer
2007-06-09 16:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 16:23 --------- d-------- C:\Program Files\Tune Tools
2007-06-08 00:01 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\InstallShield
2007-06-06 22:28 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\LimeWire
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 05:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991EF04C-93CF-469b-A2BE-CC1B3347566F}]
C:\Program Files\BHO\plugin1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
2007-08-06 23:29 31254 --a------ C:\WINDOWS\system32\ssqpqpm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 18:38]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"jczxgbyA"="C:\WINDOWS\jczxgbyA.exe" [1989-12-12 10:10]
"{90-06-68-8F-ZN}"="c:\windows\system32\mkdsregj.exe" []
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2007-08-07 00:06]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="" []
"Ncao"="C:\DOCUME~1\HOME\MYDOCU~1\CROSOF~1.NET\iexplore.exe" []
"Vkuq"="C:\Documents and Settings\HOME\My Documents\?dobe\?serinit.exe" []

C:\Documents and Settings\HOME\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2006-01-04 10:55:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-28 20:28:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtesej.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\system32\ssqpqpm.dll [2007-08-06 23:29 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpqpm]
ssqpqpm.dll 2007-08-06 23:29 31254 C:\WINDOWS\system32\ssqpqpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 FILESpy;FILESpy;\??\C:\Program Files\Softwin\BitDefender8\filespy.sys
R2 REGSpy;REGSpy;\??\C:\Program Files\Softwin\BitDefender8\regspy.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 28f17eb0-7963-4b2a-a955-b41b1caf9fdb;28f17eb0-7963-4b2a-a955-b41b1caf9fdb;\??\D:\CDS300\cds300.dll
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys


Contents of the 'Scheduled Tasks' folder
2007-08-05 18:32:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 13:26:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000019a

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 13:32:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 13:32

--- E O F ---

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:09 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\jczxgbyA.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: support - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - C:\Program Files\BHO\plugin1.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ssqpqpm.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jczxgbyA] C:\WINDOWS\jczxgbyA.exe
O4 - HKLM\..\Run: [{90-06-68-8F-ZN}] c:\windows\system32\mkdsregj.exe SKY009
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\HOME\MYDOCU~1\CROSOF~1.NET\iexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Vkuq] "C:\Documents and Settings\HOME\My Documents\?dobe\?serinit.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157068384062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168737012656
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O20 - Winlogon Notify: ssqpqpm - C:\WINDOWS\SYSTEM32\ssqpqpm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtesej.html

--
End of file - 7047 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 07 August 2007 - 02:31 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\TEMP\bass.exe
C:\TEMP\fse
C:\TEMP\1cb
C:\WINDOWS\jczxgbyA.exe
C:\WINDOWS\system32\pwinlndt.exe
C:\WINDOWS\system32\ssqpqpm.dll

Folder::
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f02WtR

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991EF04C-93CF-469b-A2BE-CC1B3347566F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jczxgbyA"=-
"{90-06-68-8F-ZN}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"Vkuq"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpqpm]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 tekken5guy

tekken5guy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 August 2007 - 03:44 PM

ComboFix 07-08-07.6 - "HOME" 2007-08-07 16:22:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.89 [GMT -4:00]
Command switches used :: C:\Documents and Settings\HOME\Desktop\CFScript.txt

FILE::
C:\TEMP\bass.exe
C:\TEMP\fse
C:\TEMP\1cb
C:\WINDOWS\jczxgbyA.exe
C:\WINDOWS\system32\pwinlndt.exe
C:\WINDOWS\system32\ssqpqpm.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\TEMP\1cb
C:\TEMP\bass.exe
C:\TEMP\fse
C:\WINDOWS\jczxgbyA.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\pwinlndt.exe
C:\WINDOWS\system32\ssqpqpm.dll


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 03:11 14 --a------ C:\DOCUME~1\HOME\getfile.dat
2007-08-06 23:29 <DIR> d--h----- C:\Program Files\BHO
2007-08-06 23:29 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-05 14:52 <DIR> d-------- C:\Program Files\iPod
2007-07-21 13:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-21 01:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 01:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-20 23:14 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-20 22:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 14:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-15 14:39 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-15 14:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 14:36 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 16:14 337692 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-07 13:18 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-08-07 13:18 --------- d-------- C:\Program Files\ghg
2007-08-07 00:06 61440 --a------ C:\WINDOWS\system32\sockspy.dll
2007-08-05 14:53 --------- d-------- C:\Program Files\Safari
2007-08-05 14:52 --------- d-------- C:\Program Files\iTunes
2007-07-21 15:05 --------- d-------- C:\Program Files\Palm
2007-07-21 15:03 --------- d-------- C:\Program Files\Messenger
2007-07-21 14:59 --------- d-------- C:\Program Files\Last.fm
2007-07-21 14:46 --------- d-------- C:\Program Files\Bonjour
2007-07-03 13:43 --------- d-------- C:\Program Files\DjToneXpress
2007-07-03 13:42 --------- d-------- C:\Program Files\VstPlugins
2007-07-03 13:42 --------- d-------- C:\Program Files\Image-Line
2007-06-23 22:32 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\Apple Computer
2007-06-09 16:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 16:23 --------- d-------- C:\Program Files\Tune Tools
2007-06-08 00:01 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\InstallShield
2007-06-06 22:28 --------- d-------- C:\DOCUME~1\HOME\APPLIC~1\LimeWire
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 05:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 15:31]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 18:38]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2007-08-07 00:06]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="" []

C:\Documents and Settings\HOME\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Palm Registration.lnk - C:\Program Files\Palm\register.exe [2006-01-04 10:55:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-28 20:28:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll sockspy.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 FILESpy;FILESpy;\??\C:\Program Files\Softwin\BitDefender8\filespy.sys
R2 REGSpy;REGSpy;\??\C:\Program Files\Softwin\BitDefender8\regspy.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 28f17eb0-7963-4b2a-a955-b41b1caf9fdb;28f17eb0-7963-4b2a-a955-b41b1caf9fdb;\??\D:\CDS300\cds300.dll
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys


Contents of the 'Scheduled Tasks' folder
2007-08-05 18:32:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 16:32:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 16:36:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 16:35
C:\ComboFix2.txt ... 2007-08-07 13:32

--- E O F ---

HJT log.:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:25 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157068384062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168737012656
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O20 - AppInit_DLLs: sockspy.dll sockspy.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Unknown owner - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6366 bytes

Nothing seems wrong with my PC when you look at the log, but there are two malicious .exe files in one of my temp files that BitDefender has to keep on blocking. I tried to delete them but was denied to do so. Nevermind I got BitDefender to scan the temp folder, it put the file in quarentine then I deleted them.

Edited by tekken5guy, 07 August 2007 - 03:46 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 07 August 2007 - 03:51 PM

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#7 tekken5guy

tekken5guy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 August 2007 - 06:00 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 07, 2007 6:57:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 353582
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 95353
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 2
Duration of the scan process: 01:46:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\HOME\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Temporary Internet Files\Content.IE5\BESIXRIS\masiyxanidi[1] Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HOME\Local Settings\Temporary Internet Files\Content.IE5\W67DLOKG\adfcook[1] Object is locked skipped
C:\Documents and Settings\HOME\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HOME\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\dwdsregt.exe Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\f02WtR1065.exe Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\ldcore.dll Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\mkdsregj.exe Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\stdrun17.exe Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\stdrun18.exe Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\vtustro.dll Object is locked skipped
C:\Program Files\Softwin\BitDefender8\Quarantine\winpop.exe Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir Infected: Trojan.Win32.Small.oa skipped
C:\QooBox\Quarantine\C\TEMP\bass.exe.vir/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\TEMP\bass.exe.vir/data0008 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\TEMP\bass.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\jczxgbyA.exe.vir Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f06WtR\f06WtR1083.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\catchme2007-08-07_132629.60.zip/ldcore.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\QooBox\Quarantine\catchme2007-08-07_132629.60.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098110.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098111.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098123.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098125.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098127.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP360\A0098128.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0098154.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0098159.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0098160.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0098161.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0098162.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099562.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099563.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099565.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099566.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099574.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099578.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099579.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0099581.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0100577.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP361\A0100578.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102406.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102408.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102409.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102410.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102411.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102412.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102413.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP369\A0102414.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP387\A0112848.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP387\A0112857.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP387\A0112858.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP387\A0112859.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0113979.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114039.bat Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114133.sys Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114134.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114135.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114136.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114137.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114138.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114139.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114140.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114141.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114142.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114143.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP389\A0114144.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP405\A0139994.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP405\A0139996.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0139998.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0139999.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140040.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140041.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140042.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140043.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140044.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140045.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140046.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140047.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140048.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140049.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140050.dll Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140051.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140052.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP406\A0140053.exe Object is locked skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP407\A0140098.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP407\A0140108.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP408\A0140235.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP408\A0140236.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{EBE250AA-DC36-4A78-AEBF-0A486FD225F0}\RP408\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp000049e3\tmp00000000 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Okay I did the Kaspersky Scan and those results however when it was going through C:\system volume information\_restore, Bit Defender kept on finding trojan from EVERYWHERE. I'm wondering, are those files from restore points that I should clear!?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 07 August 2007 - 06:40 PM

I'm wondering, are those files from restore points that I should clear!?

Yes,follow the instructions further down.

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\QooBox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 tekken5guy

tekken5guy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 August 2007 - 07:06 PM

I get the following error when trying to make a new restore point.

SYSTEM RESTORE IS NOT ABLE TO CREATE A RESTORE POINT. PLEASE RESTART THE COMPUTER AND THEN RUN SYSTEM RESTORE AGAIN

Restarting the computer doesn't help.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 08 August 2007 - 02:09 AM

How to reinstall System Restore in Windows XP?
http://windowsxp.mvps.org/repairsr.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users