Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Virtumonde And Fotomoto


  • Please log in to reply
7 replies to this topic

#1 Tuffy

Tuffy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 17 August 2007 - 07:09 PM

A few days ago my computer was attacked. I installed Windows Defender, which told me that I had two infections: "Trojan:Win32/Virtumonde.O" and "BrowserModifier:Win32/Fotomoto". My computer got very slow, to the point that the Task Manager counted CPU Usage at 100% a couple of times. I have also had some annoying "Windows Security Alert" popups -- and these pop-ups had misspellings, so I'm guessing they were part of the infection. I have completed the recommended steps in the "Preparation Guide For Use Before Posting a HiJackthis Log", and I now present my log to you. Thanks in advance for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:02 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN\horykywy4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [horykywy] C:\Program Files\MSN\horykywy4.exe
O4 - HKLM\..\Run: [zqbmglrA] C:\WINDOWS\zqbmglrA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinrmdt.exe CHD003
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
O4 - HKLM\..\Run: [{AD-D6-6C-CF-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [oxqvoncd] rundll32.exe "C:\Program Files\lqpwlapg\xqlupmxq.dll",Init
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\elyveeef.dll",forkonce
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: autorun.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130207500554
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130207483269
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum351.txt
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe (file missing)
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\System32\dlbtcoms.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9554 bytes

BC AdBot (Login to Remove)

 


#2 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 18 August 2007 - 11:25 PM

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .

Edited by jwbirdsong, 18 August 2007 - 11:30 PM.


#3 Tuffy

Tuffy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 19 August 2007 - 07:06 PM

Thanks for the response, jwbirdsong -- I appreciate the help!

Here's the ComboFix log:
ComboFix 07-08-17.2 - "User" 2007-08-19 18:11:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.46 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\User\APPLIC~1\..\err.log
C:\DOCUME~1\User\APPLIC~1\.rdr.ini
C:\DOCUME~1\User\APPLIC~1\install.dat
C:\DOCUME~1\User\STARTM~1\Programs\Startup.\system.exe
C:\DOCUME~1\User\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\LOCALS~1\APPLIC~1\install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\crosof~1
C:\Program Files\MSN\horykywy22011.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\deskcfg.dat
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\rllro0578.exe
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\chkq22011.exe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddcccax.dll
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\gaiqyxkd.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\hrum351.txt
C:\WINDOWS\system32\iifecab.dll
C:\WINDOWS\system32\ilsqhgxi.dll
C:\WINDOWS\system32\khfcbay.dll
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lfd32.ini
C:\WINDOWS\system32\msscds32.dll
C:\WINDOWS\system32\ppegtypq.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\urqnkli.dll
C:\WINDOWS\SYSTEM32\vyadd.bak1
C:\WINDOWS\SYSTEM32\vyadd.bak2
C:\WINDOWS\SYSTEM32\vyadd.ini
C:\WINDOWS\SYSTEM32\vyadd.ini2
C:\WINDOWS\system32\win
C:\WINDOWS\system32\win\w71.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\wvusqrr.dll
C:\WINDOWS\system32\xrlbundx.dll
C:\WINDOWS\system32\xxyyyvs.dll
C:\WINDOWS\system32\Y1
C:\WINDOWS\system32\Y2
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\zqbmglr.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 14:42 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-08-17 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-08-16 09:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-16 09:11 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-08-16 09:11 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-08-16 09:10 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-08-16 09:10 <DIR> d-------- C:\Program Files\Sygate
2007-08-16 09:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 22:30 243,296 --a------ C:\WINDOWS\SYSTEM32\ljjig.dll
2007-08-14 10:44 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-08-14 10:36 <DIR> d-------- C:\DOCUME~1\User\.housecall6.6
2007-08-13 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-13 22:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-13 22:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-13 19:30 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-13 19:09 6,421 --ahs---- C:\WINDOWS\SYSTEM32\vxadd.bak1
2007-08-13 14:31 1,677,824 --a------ C:\WINDOWS\SYSTEM32\chsbrkr.dll
2007-08-13 14:30 98,304 --a------ C:\WINDOWS\SYSTEM32\msir3jp.dll
2007-08-13 14:30 838,144 --a------ C:\WINDOWS\SYSTEM32\chtbrkr.dll
2007-08-13 14:30 70,656 --a------ C:\WINDOWS\SYSTEM32\korwbrkr.dll
2007-08-13 14:30 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101a.dll
2007-08-13 14:30 218,112 --a------ C:\WINDOWS\SYSTEM32\c_g18030.dll
2007-08-13 14:29 9,216 --a------ C:\WINDOWS\SYSTEM32\kbdnecAT.dll
2007-08-13 14:29 7,680 --a------ C:\WINDOWS\SYSTEM32\kbdnecNT.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdnec95.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdibm02.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\f3ahvoas.dll
2007-08-13 14:29 6,656 --a------ C:\WINDOWS\SYSTEM32\kbdlk41a.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdlk41j.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdax2.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106n.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101.dll
2007-08-13 14:28 6,656 --a------ C:\WINDOWS\SYSTEM32\c_is2022.dll
2007-08-13 14:27 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2007-08-13 14:27 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll
2007-08-13 14:27 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll
2007-08-12 18:39 60,928 --a------ C:\DOCUME~1\User\wn351.exe
2007-08-12 15:24 6,421 --ahs---- C:\WINDOWS\SYSTEM32\nnoqr.bak1
2007-08-12 10:23 37,376 --a------ C:\WINDOWS\SYSTEM32\vtr351.dll
2007-08-12 09:50 6,421 --ahs---- C:\WINDOWS\SYSTEM32\ortwa.bak1
2007-08-11 22:17 6,421 --ahs---- C:\WINDOWS\SYSTEM32\egjlm.bak1
2007-08-11 10:14 6,421 --ahs---- C:\WINDOWS\SYSTEM32\mpqru.bak1
2007-08-11 06:57 6,421 --ahs---- C:\WINDOWS\SYSTEM32\lmllm.bak1
2007-08-10 18:21 6,421 --ahs---- C:\WINDOWS\SYSTEM32\ihkmp.bak1
2007-08-10 14:52 6,421 --ahs---- C:\WINDOWS\SYSTEM32\bbbay.bak1
2007-08-10 13:27 6,421 --ahs---- C:\WINDOWS\SYSTEM32\uvxbc.bak1
2007-08-10 12:14 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-09 15:43 <DIR> d-------- C:\Program Files\lqpwlapg
2007-08-09 10:32 1,780,824 --ahs---- C:\WINDOWS\SYSTEM32\wxycf.bak2
2007-08-08 21:43 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-08-08 21:43 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-08-08 21:32 6,421 --ahs---- C:\WINDOWS\SYSTEM32\wxycf.bak1
2007-08-08 21:24 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 22:21 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-13 22:21 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-11 10:46 --------- d-------- C:\DOCUME~1\User\APPLIC~1\AdobeUM
2007-08-09 10:29 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-26 14:12 --------- d-------- C:\Program Files\Dl_cats
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-06 14:51 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype
2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 18:49 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Apple Computer
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29E734B0-E62B-4519-BAE4-167CC73BD08F}]
2007-08-15 22:30 243296 --a------ C:\WINDOWS\system32\ljjig.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 17:47]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 15:18]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 11:18]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 13:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 14:53]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 19:25]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 11:05]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-03-21 13:52]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-25 23:44]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 12:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 12:18]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"horykywy"="C:\Program Files\MSN\horykywy4.exe" [2007-08-07 15:30]
"zqbmglrA"="C:\WINDOWS\zqbmglrA.exe" []
"{AD-D6-6C-CF-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"oxqvoncd"="C:\Program Files\lqpwlapg\xqlupmxq.dll" [2007-08-09 15:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 18:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ACS.lnk - C:\WINDOWS\SYSTEM32\ACS.BAT [2005-10-31 17:01:30]
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe [2005-10-31 17:01:36]
D-Link REG Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe [2005-10-31 17:01:36]
DESKTOP.INI [2002-09-03 10:00:00]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-01-02 16:48:42]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbaxw]
C:\WINDOWS\system32\cbaxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyxw]
C:\WINDOWS\system32\fcyxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjig]
C:\WINDOWS\system32\ljjig.dll 2007-08-15 22:30 243296 C:\WINDOWS\SYSTEM32\ljjig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]
C:\WINDOWS\system32\mllml.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqonn]
C:\WINDOWS\system32\rqonn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlzh32]
winlzh32.dll

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys


Contents of the 'Scheduled Tasks' folder
2007-07-11 20:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-19 23:51:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DBJ9Y141-Danneker).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-19 23:48:02 C:\WINDOWS\Tasks\McAfee.com Update Check (DBJ9Y141-Owner).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-19 23:45:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 18:43:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-19 18:52:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 18:52

--- E O F ---

#4 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 20 August 2007 - 08:01 PM

Open ControlPanel>Add/Remove and uninstall any/all the following that are present.

Internet Explorer Default Page
OIN
WinAntiSpyware
CiD Help / CiD Manager


(No need to reboot just yet if you are asked to.)


Open Notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\ljjig.dll
C:\WINDOWS\SYSTEM32\vxadd.bak1
C:\DOCUME~1\User\wn351.exe
C:\WINDOWS\SYSTEM32\nnoqr.bak1
C:\WINDOWS\SYSTEM32\vtr351.dll
C:\WINDOWS\SYSTEM32\ortwa.bak1
C:\WINDOWS\SYSTEM32\egjlm.bak1
C:\WINDOWS\SYSTEM32\mpqru.bak1
C:\WINDOWS\SYSTEM32\lmllm.bak1
C:\WINDOWS\SYSTEM32\ihkmp.bak1
C:\WINDOWS\SYSTEM32\bbbay.bak1
C:\WINDOWS\SYSTEM32\uvxbc.bak1
C:\WINDOWS\SYSTEM32\wxycf.bak2
C:\WINDOWS\SYSTEM32\wxycf.bak1

Folder::
C:\Program Files\lqpwlapg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29E734B0-E62B-4519-BAE4-167CC73BD08F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"horykywy"=-
"zqbmglrA"=-
"{AD-D6-6C-CF-ZN}"=-
"oxqvoncd"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbaxw]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyxw]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjig]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllml]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqonn]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlzh32]

Save this as CFScript.txt

Then drag/drop the CFScript.txt onto ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Edited by jwbirdsong, 20 August 2007 - 08:03 PM.


#5 Tuffy

Tuffy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 21 August 2007 - 01:32 AM

Thanks for the continued responses and help!

Open ControlPanel>Add/Remove and uninstall any/all the following that are present.

Internet Explorer Default Page
OIN
WinAntiSpyware
CiD Help / CiD Manager


None of those four names were present in the "Add/Remove" options.


Here is the copy of the new ComboFix log:

ComboFix 07-08-17.2 - "User" 2007-08-21 0:59:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -5:00]
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

FILE::
C:\WINDOWS\SYSTEM32\ljjig.dll
C:\WINDOWS\SYSTEM32\vxadd.bak1
C:\DOCUME~1\User\wn351.exe
C:\WINDOWS\SYSTEM32\nnoqr.bak1
C:\WINDOWS\SYSTEM32\vtr351.dll
C:\WINDOWS\SYSTEM32\ortwa.bak1
C:\WINDOWS\SYSTEM32\egjlm.bak1
C:\WINDOWS\SYSTEM32\mpqru.bak1
C:\WINDOWS\SYSTEM32\lmllm.bak1
C:\WINDOWS\SYSTEM32\ihkmp.bak1
C:\WINDOWS\SYSTEM32\bbbay.bak1
C:\WINDOWS\SYSTEM32\uvxbc.bak1
C:\WINDOWS\SYSTEM32\wxycf.bak2
C:\WINDOWS\SYSTEM32\wxycf.bak1


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\User\wn351.exe
C:\Program Files\lqpwlapg
C:\Program Files\lqpwlapg\xqlupmxq.dll
C:\WINDOWS\SYSTEM32\bbbay.bak1
C:\WINDOWS\SYSTEM32\egjlm.bak1
C:\WINDOWS\SYSTEM32\ihkmp.bak1
C:\WINDOWS\SYSTEM32\ljjig.dll
C:\WINDOWS\SYSTEM32\lmllm.bak1
C:\WINDOWS\SYSTEM32\mpqru.bak1
C:\WINDOWS\SYSTEM32\nnoqr.bak1
C:\WINDOWS\SYSTEM32\ortwa.bak1
C:\WINDOWS\SYSTEM32\uvxbc.bak1
C:\WINDOWS\SYSTEM32\vtr351.dll
C:\WINDOWS\SYSTEM32\vxadd.bak1
C:\WINDOWS\SYSTEM32\wxycf.bak1
C:\WINDOWS\SYSTEM32\wxycf.bak2


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-19 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 14:42 81,984 --a------ C:\WINDOWS\SYSTEM32\bdod.bin
2007-08-17 14:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-08-16 09:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-16 09:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-08-16 09:11 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-08-16 09:11 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-08-16 09:11 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-08-16 09:10 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-08-16 09:10 <DIR> d-------- C:\Program Files\Sygate
2007-08-16 09:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 10:44 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-08-14 10:36 <DIR> d-------- C:\DOCUME~1\User\.housecall6.6
2007-08-13 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-13 22:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-13 22:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-13 19:30 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-13 14:31 1,677,824 --a------ C:\WINDOWS\SYSTEM32\chsbrkr.dll
2007-08-13 14:30 98,304 --a------ C:\WINDOWS\SYSTEM32\msir3jp.dll
2007-08-13 14:30 838,144 --a------ C:\WINDOWS\SYSTEM32\chtbrkr.dll
2007-08-13 14:30 70,656 --a------ C:\WINDOWS\SYSTEM32\korwbrkr.dll
2007-08-13 14:30 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101a.dll
2007-08-13 14:30 218,112 --a------ C:\WINDOWS\SYSTEM32\c_g18030.dll
2007-08-13 14:29 9,216 --a------ C:\WINDOWS\SYSTEM32\kbdnecAT.dll
2007-08-13 14:29 7,680 --a------ C:\WINDOWS\SYSTEM32\kbdnecNT.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdnec95.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\kbdibm02.dll
2007-08-13 14:29 7,168 --a------ C:\WINDOWS\SYSTEM32\f3ahvoas.dll
2007-08-13 14:29 6,656 --a------ C:\WINDOWS\SYSTEM32\kbdlk41a.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdlk41j.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbdax2.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106n.dll
2007-08-13 14:29 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101.dll
2007-08-13 14:28 6,656 --a------ C:\WINDOWS\SYSTEM32\c_is2022.dll
2007-08-13 14:27 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2007-08-13 14:27 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll
2007-08-13 14:27 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll
2007-08-13 14:27 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll
2007-08-10 12:14 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-08 21:43 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-08-08 21:43 8,704 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-08-08 21:24 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 22:21 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-13 22:21 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-11 10:46 --------- d-------- C:\DOCUME~1\User\APPLIC~1\AdobeUM
2007-08-09 10:29 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-26 14:12 --------- d-------- C:\Program Files\Dl_cats
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-06 14:51 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Skype
2007-06-27 09:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 18:49 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Apple Computer
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 17:47]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 15:18]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 11:18]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 02:01]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-03-21 13:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-03-18 14:53]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-04 19:25]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 11:05]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-03-21 13:52]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-25 23:44]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 12:05]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 12:18]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 18:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ACS.lnk - C:\WINDOWS\SYSTEM32\ACS.BAT [2005-10-31 17:01:30]
D-Link AirPlus Xtreme G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe [2005-10-31 17:01:36]
D-Link REG Utility.lnk - C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe [2005-10-31 17:01:36]
DESKTOP.INI [2002-09-03 10:00:00]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-01-02 16:48:42]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00]

R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys


Contents of the 'Scheduled Tasks' folder
2007-07-11 20:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-21 06:19:04 C:\WINDOWS\Tasks\McAfee.com Update Check (DBJ9Y141-Danneker).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-21 06:18:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DBJ9Y141-Owner).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-21 06:19:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 01:16:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 1:22:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 01:22
C:\ComboFix2.txt ... 2007-08-19 18:52

--- E O F ---

Edited by Tuffy, 21 August 2007 - 01:57 AM.


#6 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 21 August 2007 - 06:03 PM

Look like we got it taken out pretty well...Let's see if anything else is hiding there.

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log


#7 Tuffy

Tuffy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 24 August 2007 - 09:15 AM

Sorry it took a couple of days -- out of town. Thanks again for all of the help!

ActiveScan Report:
Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Adware:Adware/WinAntiVirus2007 Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.zedo.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2nrho2s5.default\cookies.txt[.com.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1dce3e01-3deeb045.zip[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-1dce3e01-3deeb045.zip[OwnClassLoader.class]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User\Desktop\ComboFix.exe[nircmd.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{30B83379-8A0D-4485-A96E-27C42A28EC0E}
Virus:Trj/Downloader.LAF Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\user9[1].exe
Virus:W32/Sdbot.JBE.worm Disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C4QYAOEI\install_conga1[1].exe
Virus:Trj/Downloader.MDW Disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GFYGRUSQ\m[1].exe
Adware:Adware/TTC Not disinfected C:\Program Files\MSN\horykywy4.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\User\STARTM~1\Programs\Startup\system.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\DOCUME~1\User\wn351.exe.vir
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\Program Files\MSN\horykywy22011.exe.vir
Virus:Trj/Clicker.WM Disinfected C:\QooBox\Quarantine\C\Program Files\ucleaner_setup.exe.vir
Adware:Adware/Winpopup Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir
Virus:Trj/Downloader.LAF Disinfected C:\QooBox\Quarantine\C\WINDOWS\rllro0578.exe.vir
Adware:Adware/SpyAway Not disinfected C:\QooBox\Quarantine\C\WINDOWS\sysrlb32.exe.vir
Virus:Trj/Downloader.PUT Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\B1\chkq22011.exe.vir
Virus:Trj/Passtealer.ED Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ddcccax.dll.vir
Virus:Trj/Downloader.PUT Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gaiqyxkd.dll.vir
Virus:Trj/Downloader.MDW Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hrum351.txt.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iifecab.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ilsqhgxi.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\khfcbay.dll.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ppegtypq.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\printer.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtr351.dll.vir
Virus:Trj/Downloader.PNC Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\win\w71.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winavxx.exe.vir
Adware:Adware/SpyAway Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wmvds32.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wvusqrr.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xrlbundx.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xxyyyvs.dll.vir
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINDOWS\uninst1014.exe.vir
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINDOWS\uni_eh44.exe.vir
Adware:Adware/Popper Not disinfected C:\QooBox\Quarantine\C\WINDOWS\zqbmglr.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-19_184259.40.zip[urqnkli.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Spyware:Cookie/nCase Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@banners.searchingbooth[1].txt


HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:55 AM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130207500554
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130207483269
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe (file missing)
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\System32\dlbtcoms.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8117 bytes

#8 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 26 August 2007 - 12:02 PM

Next please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Click on Tools in the menu bar
    • Click Delete Temp files
    • It will pop up a dialog showing your profile, all applicable boxes will be checked
    • Click Delete selected files
    • Use the drop down box and do this for every profile listed
    • Click the exit(save changes).. This just closes the delete files dialog
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
    C:\Program Files\MSN\horykywy4.exe
    C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@banners.searchingbooth[1].txt


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (just please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

Spend a day or so browsing then come back and post a final(?) HijackThis log and any comments on how the computer is running.

P.S. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users