Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frustrated...please Help.


  • Please log in to reply
11 replies to this topic

#1 turbo6

turbo6

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 12 August 2007 - 09:33 PM

My PC is running horribly slow and infested with pop ups, I've ran programs like AVG, spybot, adaware etc, deleting numerous infected files but problems still linger.

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 22:35, on 07-08-12
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\winnt\system32\lldsrngk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rwinmmdt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7b68294c-133c-48c9-804c-a576f37825c0} - C:\WINNT\system32\danftp.dll
O2 - BHO: (no name) - {7F4437F9-03FC-47FC-8F32-13FC4BC79FED} - C:\WINNT\system32\cbxvu.dll (file missing)
O2 - BHO: (no name) - {83DAAC25-B964-4806-9E67-DAAE44D8BF22} - C:\WINNT\system32\hgdee.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\tmp8.tmp.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\cbxxyww.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINNT\system32\yfdibpww.dll",forkonce
O4 - HKLM\..\Run: [{C5-59-9E-E9-ZN}] C:\winnt\system32\lldsrngk.exe CHD003
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\lldsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\rwinmmdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: c:\winnt\system32\khfdawv.dll
O20 - Winlogon Notify: cbxxyww - cbxxyww.dll (file missing)
O20 - Winlogon Notify: danftp - C:\WINNT\SYSTEM32\danftp.dll
O20 - Winlogon Notify: __c0076A8F - C:\WINNT\system32\__c0076A8F.dat (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe


I've also run stuff like Vundofix, combofix, fixwareout but nothing has really helped.

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 13 August 2007 - 06:30 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum turbo6 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First of all i notice you've no firewall installed.
You'll be well advised to download/install one of the following freeware options.

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

You may want to read the following.
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

----------------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 turbo6

turbo6
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 14 August 2007 - 05:10 PM

Here's the HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:42 PM, on 8/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: c:\winnt\system32\khfdawv.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe


...and the ComboFix log:

ComboFix 07-08-14 - "Britni" 2007-08-13 15:01:38.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.138 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\Britni\APPLIC~1.\macromedia\Flash Player\#SharedObjects\6UQQGBG6\www.broadcaster.com
C:\DOCUME~1\Britni\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Britni\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp3F.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\tmpE.tmp.exe
C:\DOCUME~1\Britni\APPLIC~1\WinTouch
C:\DOCUME~1\Britni\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Britni\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\Britni\APPLIC~1\WinTouch\WTUninstaller.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\Britni.\temp.tpk
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\CompWiz.xml
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\UWA7P
C:\WINNT\awwwwt.dll
C:\WINNT\b138.exe
C:\WINNT\byyawu.dll
C:\WINNT\system32\arskiyeq.dll
C:\WINNT\system32\bicflmwm.ini
C:\WINNT\system32\bievoshw.dll
C:\WINNT\system32\bkprhqrg.dll
C:\WINNT\system32\bvskrkal.ini
C:\WINNT\system32\bwvemcwc.dll
C:\WINNT\system32\cbstitsx.dll
C:\WINNT\system32\cfhkj.bak1
C:\WINNT\system32\cfhkj.bak2
C:\WINNT\system32\cfhkj.ini
C:\WINNT\system32\cfhkj.ini2
C:\WINNT\system32\cfhkj.tmp
C:\WINNT\system32\cwcmevwb.ini
C:\WINNT\system32\danftp.dll
C:\WINNT\system32\dna45c59e9.dat
C:\WINNT\system32\drivers\alert_icon.gif
C:\WINNT\system32\drivers\close_icon.gif
C:\WINNT\system32\drivers\detect.htm
C:\WINNT\system32\drivers\header_bg.gif
C:\WINNT\system32\drivers\icon_warning.gif
C:\WINNT\system32\drivers\remove_spyware_button.gif
C:\WINNT\system32\drivers\runtime2.sys
C:\WINNT\system32\drivers\s_detect.htm
C:\WINNT\system32\drivers\secuity_center_logo.gif
C:\WINNT\system32\dwdsrngt.exe
C:\WINNT\system32\ecqakwdu.ini
C:\WINNT\system32\ehgkyskp.ini
C:\WINNT\system32\eniaajdd.exe
C:\WINNT\system32\eybkrqfi.ini
C:\WINNT\system32\ftotiflt.dll
C:\WINNT\system32\fxwsydyi.dll
C:\WINNT\system32\gcvsdyjo.ini
C:\WINNT\system32\gtv_sd.bin
C:\WINNT\system32\hckbbyoa.dll
C:\WINNT\system32\hdvrpdci.ini
C:\WINNT\system32\hlnpxxyl.exe
C:\WINNT\system32\hpfxvlxx.dll
C:\WINNT\system32\icdprvdh.dll
C:\WINNT\system32\ifqrkbye.dll
C:\WINNT\system32\iydyswxf.ini
C:\WINNT\system32\jxmxrksu.dll
C:\WINNT\system32\kernel32.exe
C:\WINNT\system32\kfgxiptv.dll
C:\WINNT\system32\lakrksvb.dll
C:\WINNT\system32\lfd32.ini
C:\WINNT\system32\ltrcdbcd.exe
C:\WINNT\system32\msnav32.ax
C:\WINNT\system32\mwmlfcib.dll
C:\WINNT\system32\nbkyulry.dll
C:\WINNT\system32\ncjyjhhy.dll
C:\WINNT\system32\nnnolij.dll
C:\WINNT\system32\o02PrEz
C:\WINNT\system32\ojydsvcg.dll
C:\WINNT\system32\opynbecp.ini
C:\WINNT\system32\pbiylcrj.dll
C:\WINNT\system32\pcebnypo.dll
C:\WINNT\system32\pfiwxset.dll
C:\WINNT\system32\pfjdwfmf.dll
C:\WINNT\system32\pkomeorb.dll
C:\WINNT\system32\pksykghe.dll
C:\WINNT\system32\qeyiksra.ini
C:\WINNT\system32\RunOnce2.t__
C:\WINNT\system32\rwinmmdt.exe
C:\WINNT\system32\sqfcoksu.dll
C:\WINNT\system32\T3
C:\WINNT\system32\T4
C:\WINNT\system32\T6
C:\WINNT\system32\T7
C:\WINNT\system32\tmp10.tmp.dll
C:\WINNT\system32\udwkaqce.dll
C:\WINNT\system32\unrpvkgx.dll
C:\WINNT\system32\uskrxmxj.ini
C:\WINNT\system32\uugxigox.dll
C:\WINNT\system32\vtpixgfk.ini
C:\WINNT\system32\whsoveib.ini
C:\WINNT\system32\win
C:\WINNT\system32\winnb58.dll
C:\WINNT\system32\winpfz32.sys
C:\WINNT\system32\xgkvprnu.ini
C:\WINNT\system32\xogixguu.ini
C:\WINNT\system32\xstitsbc.ini
C:\WINNT\system32\xxlvxfph.ini
C:\WINNT\system32\yhhjyjcn.ini
C:\WINNT\system32\zxdnt3d.cfg
C:\WINNT\uwayyb.ini
C:\xcrashdump.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DRIVER
-------\LEGACY_FOPN
-------\LEGACY_NDNET1
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WINDBG48
-------\LEGACY_WINDEV-F1-2E4D
-------\windbg48
-------\windev-f1-2e4d


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 14:59 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-12 22:55 994 --a------ C:\Purity.bat
2007-08-12 22:50 1,027 --a------ C:\ComboFix.bat
2007-08-09 23:26 52,768 --a------ C:\WINNT\system32\lldsrngk.exe
2007-08-09 14:18 25,664 --a------ C:\WINNT\system32\8RCd0aAF.exe
2007-07-30 10:15 126,016 --a------ C:\WINNT\system32\hujrkpbb.dll
2007-07-27 23:11 94,580 --a------ C:\LIST-C.bat
2007-07-27 23:11 8,192 --a------ C:\RestartIt.exe
2007-07-27 23:11 79,360 --a------ C:\swxcacls.exe
2007-07-27 23:11 6,653 --a------ C:\Qoo.bat
2007-07-27 23:11 49,152 --a------ C:\vfind.exe
2007-07-27 23:11 42,884 --a------ C:\ntp.exe
2007-07-27 23:11 39,184 --a------ C:\Ntrights.exe
2007-07-27 23:11 38,400 --a------ C:\moveex.exe
2007-07-27 23:11 26,112 --a------ C:\nircmd.exe
2007-07-27 23:11 201,526 --a------ C:\Creg.reg
2007-07-27 23:11 2,453 --a------ C:\Look2Me.bat
2007-07-27 23:11 181,776 --a------ C:\handle.exe
2007-07-27 23:11 139,776 --a------ C:\swreg.exe
2007-07-27 23:11 123,904 --a------ C:\swsc.exe
2007-07-27 23:05 126,016 --a------ C:\WINNT\system32\jjfojqae.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-13 00:05 --------- d-------- C:\Program Files\SpeedFan
07-08-09 14:35 --------- d-------- C:\Program Files\morpheus
07-07-20 00:43 --------- d-------- C:\DOCUME~1\Britni\APPLIC~1\Yahoo! Messenger
07-06-17 20:27 --------- d-------- C:\DOCUME~1\Britni\APPLIC~1\Aim
04-04-16 23:14 271 ---h----- C:\Program Files\desktop.ini
04-04-16 23:14 21952 ---h----- C:\Program Files\folder.htt
03-07-03 11:36 32528 --a------ C:\WINNT\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-03 11:41 C:\WINNT\system32\mobsync.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [04-05-12 02:03 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-07 23:49:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\winnt\system32\khfdawv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yvbb02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 Avg7RsNT;AVG7 Rezident Driver;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R1 SbcpHid;SbcpHid;\??\C:\WINNT\system32\Drivers\SbcpHid.sys
R1 speedfan;speedfan;\??\C:\WINNT\system32\speedfan.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINNT\system32\drivers\cwbmidi.sys
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S1 yvbb02;Miniport FT;\??\C:\WINNT\system32\yvbb02.sys
S2 yvbb01;Miniport FT32;\??\C:\WINNT\system32\yvbb01.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINNT\system32\DRIVERS\PRISMNDS.sys
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusb.sys


Contents of the 'Scheduled Tasks' folder
2007-08-09 18:19:07 C:\WINNT\Tasks\At1.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 13:01:47 C:\WINNT\Tasks\At10.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 14:01:01 C:\WINNT\Tasks\At11.job
2007-08-12 15:01:02 C:\WINNT\Tasks\At12.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 16:01:00 C:\WINNT\Tasks\At13.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 17:01:00 C:\WINNT\Tasks\At14.job
2007-08-13 18:01:55 C:\WINNT\Tasks\At15.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-13 19:01:01 C:\WINNT\Tasks\At16.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 20:01:00 C:\WINNT\Tasks\At17.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-12 21:01:00 C:\WINNT\Tasks\At18.job
2007-08-09 22:01:00 C:\WINNT\Tasks\At19.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:07 C:\WINNT\Tasks\At2.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 23:01:00 C:\WINNT\Tasks\At20.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-10 00:01:00 C:\WINNT\Tasks\At21.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-10 01:01:00 C:\WINNT\Tasks\At22.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-13 02:01:54 C:\WINNT\Tasks\At23.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-13 03:01:00 C:\WINNT\Tasks\At24.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:07 C:\WINNT\Tasks\At3.job
2007-08-09 18:19:07 C:\WINNT\Tasks\At4.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:07 C:\WINNT\Tasks\At5.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:07 C:\WINNT\Tasks\At6.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:08 C:\WINNT\Tasks\At7.job - C:\WINNT\system32\8RCd0aAF.exe
2007-08-09 18:19:08 C:\WINNT\Tasks\At8.job
2007-08-09 18:19:08 C:\WINNT\Tasks\At9.job - C:\WINNT\system32\8RCd0aAF.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 15:08:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-13 15:11:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-13 15:10
C:\ComboFix2.txt ... 07-01-26 18:46

--- E O F ---


The tray clock has been reset to the correct 12 hr format, as it was in 24 hr format before. This seems like a common thing when my system is infected.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 14 August 2007 - 05:59 PM

Download SmitfraudFix (by S!Ri),to your desktop.
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.
---------------------------------------------------------------
Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINNT\system32\lldsrngk.exe
C:\WINNT\system32\8RCd0aAF.exe
C:\WINNT\system32\hujrkpbb.dll
C:\WINNT\system32\jjfojqae.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
----------------------------------------------------------------
Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

----------------------------------------------------------------
Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Post the Activescan report in your next reply.

Also post a fresh Hijackthis log.
Posted Image
Posted Image

#5 turbo6

turbo6
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 14 August 2007 - 09:28 PM

as requested...


Incident Status Location

Adware:Adware/Zenosearch Not disinfected C:\WINNT\system32\rwinmmdt.exe
Adware:Adware/Zenosearch Not disinfected c:\winnt\system32\lldsrngk.exe
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Britni\Cookies\britni@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Britni\Cookies\britni@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Britni\Cookies\britni@ad.yieldmanager[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Britni\Cookies\britni@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Britni\Cookies\britni@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Britni\Cookies\britni@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Britni\Cookies\britni@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Britni\Cookies\britni@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Britni\Cookies\britni@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Britni\Cookies\britni@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Britni\Cookies\britni@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Britni\Cookies\britni@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Britni\Cookies\britni@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Britni\Cookies\britni@bluestreak[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Britni\Cookies\britni@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Britni\Cookies\britni@burstnet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Britni\Cookies\britni@cgi-bin[4].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Britni\Cookies\britni@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Britni\Cookies\britni@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Britni\Cookies\britni@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Britni\Cookies\britni@doubleclick[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Britni\Cookies\britni@enhance[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Britni\Cookies\britni@fastclick[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Britni\Cookies\britni@goclick[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Britni\Cookies\britni@i.screensavers[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Britni\Cookies\britni@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Britni\Cookies\britni@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Britni\Cookies\britni@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Britni\Cookies\britni@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Britni\Cookies\britni@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Britni\Cookies\britni@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Britni\Cookies\britni@sextracker[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Britni\Cookies\britni@statcounter[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Britni\Cookies\britni@statse.webtrendslive[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Britni\Cookies\britni@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Britni\Cookies\britni@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Britni\Cookies\britni@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Britni\Cookies\britni@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Britni\Cookies\britni@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Britni\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Britni\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Britni\Desktop\SmitfraudFix\restart.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Britni\Local Settings\Temp\~nsu.tmp\Au_.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\nircmd.exe
Virus:Generic Malware Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Adware:Adware/Yazzle Not disinfected C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\HaxFix\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\HiJackThis\backups\backup-20070812-235930-433.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\HiJackThis\backups\backup-20070813-000040-912.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\HiJackThis\backups\backup-20070813-000118-494.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\HiJackThis\backups\backup-20070813-000136-320.dll
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp1.tmp.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp11.tmp.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp3.tmp.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp3F.tmp.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp6.tmp.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\Britni\APPLIC~1\tmp7.tmp.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\awwwwt.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\byyawu.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\bievoshw.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\cbstitsx.dll.vir
Virus:Trj/Downloader.MDW Disinfected C:\QooBox\Quarantine\C\WINNT\system32\drivers\runtime2.sys.vir
Adware:Adware/Zenosearch Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\dwdsrngt.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\eniaajdd.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\fxwsydyi.dll.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\hlnpxxyl.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\icdprvdh.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\jxmxrksu.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\kfgxiptv.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\lakrksvb.dll.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\ltrcdbcd.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\mwmlfcib.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\ncjyjhhy.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\nnnolij.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\ojydsvcg.dll.vir
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\pbiylcrj.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\pcebnypo.dll.vir
Adware:Adware/WebSearch Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\pkomeorb.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\pksykghe.dll.vir
Adware:Adware/Zenosearch Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\rwinmmdt.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\udwkaqce.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\uugxigox.dll.vir
Adware:Adware/Mirar Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\WinNB58.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-13_150853.45.zip[danftp.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\sUBs\nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\sUBs\TSF\nircmd.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\byvww.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hvdymiob.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe
Virus:Trj/DNSChanger.XB Disinfected C:\WINNT\system32\cfycvjeb.pxk
Adware:Adware/Zenosearch Not disinfected C:\WINNT\system32\dwdsrngt.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\gpwgckhf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\iptbqkco.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\mtudoitq.dll
Virus:Trj/Downloader.PAU Disinfected C:\WINNT\system32\o02PrEz\o02PrEz1065.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\qdriscqb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\qyfliurw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\senyqowj.dll
Virus:Trj/Downloader.ORT Disinfected C:\WINNT\system32\svgmomts.qX
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\ugqawjjw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\vkqllklt.dll
Virus:W32/ZLFake.A.drp Disinfected C:\_OTMoveIt\MovedFiles\WINNT\system32\8RCd0aAF.exe
Spyware:Spyware/Virtumonde Not disinfected C:\_OTMoveIt\MovedFiles\WINNT\system32\jjfojqae.dll
Adware:Adware/Zenosearch Not disinfected C:\_OTMoveIt\MovedFiles\WINNT\system32\lldsrngk.exe


...and

C:\WINNT\system32\lldsrngk.exe moved successfully.
C:\WINNT\system32\8RCd0aAF.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINNT\system32\hujrkpbb.dll
C:\WINNT\system32\hujrkpbb.dll NOT unregistered.
C:\WINNT\system32\hujrkpbb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINNT\system32\jjfojqae.dll
C:\WINNT\system32\jjfojqae.dll NOT unregistered.
C:\WINNT\system32\jjfojqae.dll moved successfully.
File/Folder not found.

Created on 08/14/2007 21:06:28


...smitfraud report

SmitFraudFix v2.212

Scan done at 21:23:50.04, Tue 08/14/2007
Run from C:\Documents and Settings\Britni\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\winnt\system32\lldsrngk.exe
C:\WINNT\system32\rwinmmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe

hosts


C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\Britni


C:\Documents and Settings\Britni\Application Data


Start Menu


C:\DOCUME~1\Britni\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


Rustock



DNS

Description: Intel® PRO/100+ Management Adapter
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242

HKLM\SYSTEM\CCS\Services\Tcpip\..\{28D54A55-F4B7-424D-9A22-037759672933}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BFBC6C91-12EC-41A6-A55E-07E18A538794}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C24BA49B-DA90-4DF4-BA45-416A85F3F82C}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EB807230-760D-43D7-8966-B4B460BFB244}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F308D9F0-39E3-4D23-8F0A-08629DCAFBE1}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CS1\Services\Tcpip\..\{28D54A55-F4B7-424D-9A22-037759672933}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BFBC6C91-12EC-41A6-A55E-07E18A538794}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C24BA49B-DA90-4DF4-BA45-416A85F3F82C}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EB807230-760D-43D7-8966-B4B460BFB244}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F308D9F0-39E3-4D23-8F0A-08629DCAFBE1}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CS2\Services\Tcpip\..\{28D54A55-F4B7-424D-9A22-037759672933}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BFBC6C91-12EC-41A6-A55E-07E18A538794}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C24BA49B-DA90-4DF4-BA45-416A85F3F82C}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EB807230-760D-43D7-8966-B4B460BFB244}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EB807230-760D-43D7-8966-B4B460BFB244}: NameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F308D9F0-39E3-4D23-8F0A-08629DCAFBE1}: DhcpNameServer=85.255.115.117,85.255.112.184
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242


Scanning for wininet.dll infection


End





finally...

Logfile of HijackThis v1.99.1
Scan saved at 10:33:16 PM, on 8/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\winnt\system32\lldsrngk.exe
C:\WINNT\system32\rwinmmdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\lldsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\rwinmmdt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 15 August 2007 - 08:53 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINNT\system32\dwdsrngt.exe
C:\WINNT\system32\gpwgckhf.dll
C:\WINNT\system32\iptbqkco.dll
C:\WINNT\system32\mtudoitq.dll
C:\WINNT\system32\qdriscqb.dll
C:\WINNT\system32\qyfliurw.dll
C:\WINNT\system32\senyqowj.dll
C:\WINNT\system32\ugqawjjw.dll
C:\WINNT\system32\vkqllklt.dll
C:\WINNT\system32\rwinmmdt.exe
c:\winnt\system32\lldsrngk.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\Britni\Local Settings\Temp\~nsu.tmp

Folder::
C:\QooBox
C:\VundoFix Backups
C:\Program Files\AWS

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 turbo6

turbo6
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 17 August 2007 - 09:14 PM

I think we're getting there...thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:18:00 PM, on 8/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe


...and the combo log

ComboFix 07-08-14 - "Britni" 08/17/2007 22:08:11.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.103 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Britni\Desktop\CFScript

FILE::
C:\WINNT\system32\dwdsrngt.exe
C:\WINNT\system32\gpwgckhf.dll
C:\WINNT\system32\iptbqkco.dll
C:\WINNT\system32\mtudoitq.dll
C:\WINNT\system32\qdriscqb.dll
C:\WINNT\system32\qyfliurw.dll
C:\WINNT\system32\senyqowj.dll
C:\WINNT\system32\ugqawjjw.dll
C:\WINNT\system32\vkqllklt.dll
C:\WINNT\system32\rwinmmdt.exe
c:\winnt\system32\lldsrngk.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\Britni\Local Settings\Temp\~nsu.tmp


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Britni\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\AWS
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\QooBox
C:\temp\iee
C:\VundoFix Backups
C:\VundoFix Backups\byvww.dll.bad
C:\VundoFix Backups\cbxvu.dll.bad
C:\VundoFix Backups\eedgh.bak1.bad
C:\VundoFix Backups\eedgh.bak2.bad
C:\VundoFix Backups\eedgh.ini.bad
C:\VundoFix Backups\hvdymiob.dll.bad
C:\VundoFix Backups\uvxbc.bak1.bad
C:\VundoFix Backups\uvxbc.bak2.bad
C:\VundoFix Backups\uvxbc.ini.bad
C:\VundoFix Backups\wwvyb.bak1.bad
C:\VundoFix Backups\wwvyb.ini.bad
C:\WINNT\system32\dwdsrngt.exe
C:\WINNT\system32\gpwgckhf.dll
C:\WINNT\system32\iptbqkco.dll
c:\winnt\system32\lldsrngk.exe
C:\WINNT\system32\msnav32.ax
C:\WINNT\system32\mtudoitq.dll
C:\WINNT\system32\o02PrEz
C:\WINNT\system32\qdriscqb.dll
C:\WINNT\system32\qyfliurw.dll
C:\WINNT\system32\rwinmmdt.exe
C:\WINNT\system32\senyqowj.dll
C:\WINNT\system32\ugqawjjw.dll
C:\WINNT\system32\vkqllklt.dll
C:\WINNT\system32\winpfz32.sys
C:\WINNT\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-15 21:49 26,176 --a------ C:\WINNT\system32\WK8BxoBY.exe
2007-08-15 21:49 26,176 --a------ C:\Temp\svcipa.exe
2007-08-15 21:38 18,432 --a------ C:\WINNT\taskmgr.exe
2007-08-15 21:28 16,450 --a------ C:\WINNT\rxtd.exe
2007-08-14 21:26 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-08-14 21:14 310 --a------ C:\WINNT\system32\tmp.reg
2007-08-14 19:20 <DIR> d-------- C:\Temp
2007-08-13 14:59 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-13 14:59 416 --a------ C:\CFCleanUp.bat
2007-08-12 22:55 994 --a------ C:\Purity.bat
2007-08-12 22:50 1,027 --a------ C:\ComboFix.bat
2007-07-27 23:11 94,580 --a------ C:\LIST-C.bat
2007-07-27 23:11 8,192 --a------ C:\RestartIt.exe
2007-07-27 23:11 79,360 --a------ C:\swxcacls.exe
2007-07-27 23:11 6,653 --a------ C:\Qoo.bat
2007-07-27 23:11 49,152 --a------ C:\vfind.exe
2007-07-27 23:11 42,884 --a------ C:\ntp.exe
2007-07-27 23:11 39,184 --a------ C:\Ntrights.exe
2007-07-27 23:11 38,400 --a------ C:\moveex.exe
2007-07-27 23:11 26,112 --a------ C:\nircmd.exe
2007-07-27 23:11 201,526 --a------ C:\Creg.reg
2007-07-27 23:11 2,453 --a------ C:\Look2Me.bat
2007-07-27 23:11 181,776 --a------ C:\handle.exe
2007-07-27 23:11 139,776 --a------ C:\swreg.exe
2007-07-27 23:11 123,904 --a------ C:\swsc.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-13 00:05 --------- d-------- C:\Program Files\SpeedFan
07-08-09 14:35 --------- d-------- C:\Program Files\morpheus
07-07-20 00:43 --------- d-------- C:\DOCUME~1\Britni\APPLIC~1\Yahoo! Messenger
07-06-17 20:27 --------- d-------- C:\DOCUME~1\Britni\APPLIC~1\Aim
04-04-16 23:14 271 ---h----- C:\Program Files\desktop.ini
04-04-16 23:14 21952 ---h----- C:\Program Files\folder.htt
03-07-03 11:36 32528 --a------ C:\WINNT\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-03 11:41 C:\WINNT\system32\mobsync.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [04-05-12 02:03 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-06-07 23:49:20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yvbb02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R1 Avg7RsNT;AVG7 Rezident Driver;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R1 SbcpHid;SbcpHid;\??\C:\WINNT\system32\Drivers\SbcpHid.sys
R1 speedfan;speedfan;\??\C:\WINNT\system32\speedfan.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINNT\system32\drivers\cwbmidi.sys
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\system32\drivers\cwbwdm.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S1 yvbb02;Miniport FT;\??\C:\WINNT\system32\yvbb02.sys
S2 yvbb01;Miniport FT32;\??\C:\WINNT\system32\yvbb01.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINNT\system32\DRIVERS\PRISMNDS.sys
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;C:\WINNT\system32\DRIVERS\netusb.sys


Contents of the 'Scheduled Tasks' folder
2007-08-16 04:01:03 C:\WINNT\Tasks\At1.job
2007-08-17 13:01:44 C:\WINNT\Tasks\At10.job
2007-08-17 14:01:00 C:\WINNT\Tasks\At11.job
2007-08-17 15:01:00 C:\WINNT\Tasks\At12.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 16:01:00 C:\WINNT\Tasks\At13.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 17:01:00 C:\WINNT\Tasks\At14.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 18:01:00 C:\WINNT\Tasks\At15.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 19:01:00 C:\WINNT\Tasks\At16.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 20:01:00 C:\WINNT\Tasks\At17.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 21:01:00 C:\WINNT\Tasks\At18.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 22:01:00 C:\WINNT\Tasks\At19.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At2.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 23:00:00 C:\WINNT\Tasks\At20.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-18 00:00:00 C:\WINNT\Tasks\At21.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-18 01:01:41 C:\WINNT\Tasks\At22.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-18 02:01:00 C:\WINNT\Tasks\At23.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-17 03:01:44 C:\WINNT\Tasks\At24.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At3.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At4.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At5.job
2007-08-16 01:49:46 C:\WINNT\Tasks\At6.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At7.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At8.job - C:\WINNT\system32\WK8BxoBY.exe
2007-08-16 01:49:46 C:\WINNT\Tasks\At9.job - C:\WINNT\system32\WK8BxoBY.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 22:14:06
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-17 22:16:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-13 15:10
C:\ComboFix2.txt ... 07-08-13 15:11
C:\ComboFix3.txt ... 07-01-26 18:46

--- E O F ---


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 August 2007 - 09:33 AM

Download haxfix.exe and save it to your desktop.

* Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
* Checkmark "Create a desktop icon"
* Click "Next"
* When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
* Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

* Select option 1. Make logfile by typing 1 and then pressing Enter
* Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
* Copy the contents of that logfile and paste it into your next reply.
Posted Image
Posted Image

#9 turbo6

turbo6
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 18 August 2007 - 05:28 PM

PC is running much smoother now.

AXFIX logfile - by Marckie

version 4.361
Sat 08/18/2007 18:31:28.54

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
yvbb01
yvbb02

checking for matching safeboot services
matching safeboot services found
yvbb02.sys

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 August 2007 - 05:35 PM

Option 2 autofix.

* Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
* Close all other open windows since this step requires a reboot
* Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

* Close all open windows except the red dos window from haxfix and then press Enter
* The computer will reboot
* After reboot a logfile will open > (c:\haxfix.txt)
* Post the contents of that logfile along with a new HijackThis log.
Posted Image
Posted Image

#11 turbo6

turbo6
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 18 August 2007 - 08:21 PM

i dont think haxfix picked up anything, but I ran the fix though...

HAXFIX logfile - by Marckie

version 4.361
Sat 08/18/2007 21:24:21.32

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
yvbb01
yvbb02

checking for matching safeboot services
matching safeboot services found
yvbb02.sys

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!


and the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:25:21 PM, on 8/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak
EasyShare software\bin\ptssvc.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 18 August 2007 - 08:33 PM

When you last ran Haxfix,you did run Option 2 autofix did'nt you?

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Please post your replies in regular text,not bold,thanks.

Edited by RichieUK, 18 August 2007 - 08:58 PM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users