Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winantivirus 2007


  • This topic is locked This topic is locked
17 replies to this topic

#1 wildechylld

wildechylld

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 17 August 2007 - 08:22 PM

hi I have been trying to get rid of this gray box that keeps popping up and telling me to check my computer it looks like it is from microsoft but there are misspellings in the message. It tried to connect to the internet and thats how I know it is winantivirus 2007. It wants me to down load. steps I have taken so far. I ran vundofix, vundobegone they found no files. I ran spybot and deleted vundo along with some redirected website registry now it is saying clean. I ran my yahoo antivirus got message about java byte verify cleared that up . then ran yahoo anti spy deleted all cookies found there. b4 i did all this I turned off system restore and my firewall. ran all these programs in safe boot. restarted in normal and it is still popping up and even has a icon in my system tray. I ran hijack this again and this is what is left

Logfile of HijackThis v1.99.1
Scan saved at 5:39:45 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum236.txt
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

what to do now to get rid of this

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 18 August 2007 - 11:56 AM

Hi

Start by renaming HijackThis.exe file -> something.exe and post a fresh hjt log after that

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 18 August 2007 - 04:42 PM

ok i renamed the hijack this file and ran it and got this log.. also reading some of the other post i also downloaded that kasper thing and have a log of that if u need to see it. lastly this thing is locking me out of my control panel, internet explorer , regedit and changing my adminstrative option so i cant get in.

Logfile of HijackThis v1.99.1
Scan saved at 4:36:08 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\kille.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum236.txt
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 18 August 2007 - 05:02 PM

Hi

First of all re-enable system restore and firewall. Infected restore point is better than no point at all.

Then download this file -
combofix.exe but Don't run it yet.

I recommend to save/print following instructions since you won't be able to access them while in safe mode.


Reboot into safe mode.

Start hjt, click do a system scan only, check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum236.txt

Close browsers and other windows. Click fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete following files if found:
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\hrum236.txt

Search for these files and delete if found:
system.exe
autorun.exe

Then it's time for the ComboFix.

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Reboot back into normal mode and post Combofix log (c:\combofix.txt) in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 18 August 2007 - 07:17 PM

i could not delete printer.exe says to ck disk or make sure not write protected or running. couldnt delete hrum236.txt on hijack this i get this message modbackup_makebackup (sitem=020-appinit_dlls:c:/windows/system32/hrum236.txt)
error #5- invalid procedure call or argument. it says to send info to merijn@spywareinfo.com with details
windows version nt 5.01.2600
msie version- 6.0.2900.2180
hijack version- 1.991

here is combofix log

ComboFix 07-08-14.4 - "esylvan" 2007-08-18 18:42:22.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\system32\printer.exe


((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


2007-08-18 18:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 22:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-17 22:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 14:47 <DIR> d-------- C:\VundoFix Backups
2007-08-17 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 22:42 6,150 --a------ C:\WINDOWS\system32\spoolvs.exe
2007-08-16 22:42 6,150 --a------ C:\DOCUME~1\esylvan\APPLIC~1\findfast.exe
2007-08-13 09:10 <DIR> d-------- C:\Program Files\Veoh Networks
2007-08-10 16:47 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\Pegasys Inc
2007-08-10 16:39 <DIR> d-------- C:\Program Files\DivX
2007-08-09 19:45 <DIR> d-------- C:\Program Files\TryMedia
2007-08-09 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-29 12:22 <DIR> d-------- C:\Program Files\Netflix
2007-07-24 11:37 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\DivX
2007-07-24 03:25 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-22 21:39 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\ArcSoft
2007-07-22 21:38 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-07-22 21:38 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-07-22 21:36 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-22 20:42 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-07-22 20:42 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-22 20:42 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-07-22 20:42 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-22 20:42 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-07-22 20:42 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-22 20:42 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-07-22 20:42 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-22 20:42 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2007-07-22 20:42 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-22 20:42 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2007-07-22 20:42 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-22 20:42 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-07-22 20:42 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-22 20:41 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-07-22 20:41 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-22 20:37 73,728 --a------ C:\WINDOWS\system32\mr310ipc.dll
2007-07-22 20:37 36,864 -ra------ C:\WINDOWS\system32\mr310exv.dll
2007-07-22 20:37 352,256 --a------ C:\WINDOWS\system32\ijl15.dll
2007-07-22 20:37 28,672 -ra------ C:\WINDOWS\system32\mr310exd.dll
2007-07-22 20:37 129,875 -ra------ C:\WINDOWS\system32\drivers\mr97310c.sys
2007-07-22 20:37 102,400 --a------ C:\WINDOWS\system32\mr310ifc.dll
2007-07-22 20:37 <DIR> d-------- C:\Program Files\MARS
2007-07-21 19:10 75,384 --------- C:\WINDOWS\TrueInstall.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 09:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-24 17:19 --------- d-------- C:\Program Files\GameHouse
2007-07-23 06:43 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-23 06:43 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-07-22 20:36 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-21 19:10 --------- d-------- C:\Program Files\TrueSwitchAT&TYahoo
2007-07-16 23:00 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Yahoo!
2007-07-16 11:51 --------- d-------- C:\Program Files\Pure Networks
2007-07-16 11:51 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-16 11:48 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\AOL
2007-07-14 16:10 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\TrueSwitch
2007-07-12 14:59 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-07-12 14:58 74864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-07-12 14:58 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-07-12 14:58 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-07-12 14:58 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-07-12 14:58 115824 --a------ C:\WINDOWS\UnVet32.exe
2007-07-12 14:58 111728 --a------ C:\WINDOWS\AVShlExt.dll
2007-07-12 14:58 --------- d-------- C:\Program Files\Yahoo!
2007-07-12 14:47 --------- d-------- C:\Program Files\EarthLink TotalAccess
2007-07-11 15:21 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-07-11 15:21 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Motive
2007-07-11 14:18 --------- d-------- C:\Program Files\Common Files\Motive
2007-07-11 14:05 --------- d-------- C:\Program Files\illiminable
2007-07-11 14:05 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-07-11 12:51 --------- d-------- C:\Program Files\BroadJump
2007-07-09 14:07 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-09 14:07 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-09 14:07 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 14:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 14:07 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 14:07 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-09 14:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-09 14:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-09 14:05 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-09 14:05 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-09 14:05 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-09 14:05 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-09 14:05 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-09 14:05 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-09 14:05 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-09 14:05 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-05 16:23 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-05 11:37 --------- d-------- C:\Program Files\Diablo II
2007-07-05 11:13 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-05 11:13 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-05 11:13 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-28 11:42 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-06-08 08:05 503808 --a------ C:\WINDOWS\system32\SpongeBob Squarepants.scr
2007-06-08 08:05 12288 --a------ C:\WINDOWS\system32\impborl.dll
2007-05-31 15:39 286720 --a------ C:\WINDOWS\iun506.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-11 15:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum236.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^Connect to Catapult Online.lnk]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\Connect to Catapult Online.lnk
backup=C:\WINDOWS\pss\Connect to Catapult Online.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^startsite.bat]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\startsite.bat
backup=C:\WINDOWS\pss\startsite.batStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeyz.exe Startup]
C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"EarthLinkMonitor"=2 (0x2)

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys


Contents of the 'Scheduled Tasks' folder
2007-08-17 05:00:02 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-15 14:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 15:00:00 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 16:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 17:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 18:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 19:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-16 20:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 21:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 22:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 23:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 06:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 01:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 02:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 03:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-18 04:00:01 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 05:00:02 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 06:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 07:00:01 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 07:00:01 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 15:00:00 C:\WINDOWS\Tasks\At35.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 16:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 17:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 18:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 19:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 08:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-17 03:23:31 C:\WINDOWS\Tasks\At40.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 21:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 22:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-17 23:00:00 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 00:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 01:00:00 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 02:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 03:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-18 04:00:02 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\Df2t3A5C.exe
2007-08-14 16:50:13 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-14 16:50:13 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-14 16:50:13 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-14 16:50:14 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\78K5YIM5.exe
2007-08-15 13:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\78K5YIM5.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 18:45:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-18 18:47:05
C:\ComboFix-quarantined-files.txt ... 2007-08-18 18:46

--- E O F ---

and hjt log

Logfile of HijackThis v1.99.1
Scan saved at 7:01:07 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\kille.exe.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum236.txt
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

system restore and firewall are back on

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 19 August 2007 - 01:10 PM

Hi

Combofix got rid of printer.exe. Let's continue and try to remove that hrum236.txt next.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\hrum236.txt

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply



Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\78K5YIM5.exe
C:\WINDOWS\system32\Df2t3A5C.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Folder::
C:\VundoFix Backups
C:\Program Files\TryMedia

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=-


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

Summary of logs to be posted:
-contents of C:\avenger.txt
-resultant log of Combofix
-a fresh hjt log

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 19 August 2007 - 03:09 PM

here are the logs as requested

avenger.txt

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\njjkbtxj

*******************

Script file located at: \??\C:\wcpauxvm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\hrum236.txt deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

combofix log

ComboFix 07-08-14.4 - "esylvan" 2007-08-19 14:46:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.79 [GMT -5:00]
Command switches used :: C:\Documents and Settings\esylvan\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\78K5YIM5.exe
C:\WINDOWS\system32\Df2t3A5C.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\TryMedia
C:\Program Files\TryMedia\ActiveMark\data\{03F0C289-7F83-2A11-2B61-3FA6BACA502B}
C:\Program Files\TryMedia\ActiveMark\data\{75EC702D-4E74-EE3D-5171-A1EBBD890CFF}
C:\Program Files\TryMedia\ActiveMark\data\{A5DE1A93-BEF8-C258-1AF5-C97576CD0636}
C:\Program Files\TryMedia\ActiveMark\data\{B8762FF6-EF94-8C18-4398-734AA5EECDED}
C:\VundoFix Backups
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-18 18:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 22:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-17 22:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 22:42 6,150 --a------ C:\WINDOWS\system32\spoolvs.exe
2007-08-16 22:42 6,150 --a------ C:\DOCUME~1\esylvan\APPLIC~1\findfast.exe
2007-08-13 09:10 <DIR> d-------- C:\Program Files\Veoh Networks
2007-08-10 16:47 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\Pegasys Inc
2007-08-10 16:39 <DIR> d-------- C:\Program Files\DivX
2007-08-09 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-29 12:22 <DIR> d-------- C:\Program Files\Netflix
2007-07-24 11:37 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\DivX
2007-07-24 03:25 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-22 21:39 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\ArcSoft
2007-07-22 21:38 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-07-22 21:38 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-07-22 21:36 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-22 20:42 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-07-22 20:42 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-22 20:42 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-07-22 20:42 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-22 20:42 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-07-22 20:42 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-22 20:42 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-07-22 20:42 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-22 20:42 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2007-07-22 20:42 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-22 20:42 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2007-07-22 20:42 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-22 20:42 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-07-22 20:42 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-22 20:41 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-07-22 20:41 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-22 20:37 73,728 --a------ C:\WINDOWS\system32\mr310ipc.dll
2007-07-22 20:37 36,864 -ra------ C:\WINDOWS\system32\mr310exv.dll
2007-07-22 20:37 352,256 --a------ C:\WINDOWS\system32\ijl15.dll
2007-07-22 20:37 28,672 -ra------ C:\WINDOWS\system32\mr310exd.dll
2007-07-22 20:37 129,875 -ra------ C:\WINDOWS\system32\drivers\mr97310c.sys
2007-07-22 20:37 102,400 --a------ C:\WINDOWS\system32\mr310ifc.dll
2007-07-22 20:37 <DIR> d-------- C:\Program Files\MARS
2007-07-21 19:10 75,384 --------- C:\WINDOWS\TrueInstall.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 09:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-24 17:19 --------- d-------- C:\Program Files\GameHouse
2007-07-23 06:43 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-23 06:43 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-07-22 20:36 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-21 19:10 --------- d-------- C:\Program Files\TrueSwitchAT&TYahoo
2007-07-16 23:00 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Yahoo!
2007-07-16 11:51 --------- d-------- C:\Program Files\Pure Networks
2007-07-16 11:51 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-16 11:48 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\AOL
2007-07-14 16:10 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\TrueSwitch
2007-07-12 14:59 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-07-12 14:58 74864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-07-12 14:58 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-07-12 14:58 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-07-12 14:58 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-07-12 14:58 115824 --a------ C:\WINDOWS\UnVet32.exe
2007-07-12 14:58 111728 --a------ C:\WINDOWS\AVShlExt.dll
2007-07-12 14:58 --------- d-------- C:\Program Files\Yahoo!
2007-07-12 14:47 --------- d-------- C:\Program Files\EarthLink TotalAccess
2007-07-11 15:21 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-07-11 15:21 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Motive
2007-07-11 14:18 --------- d-------- C:\Program Files\Common Files\Motive
2007-07-11 14:05 --------- d-------- C:\Program Files\illiminable
2007-07-11 14:05 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-07-11 12:51 --------- d-------- C:\Program Files\BroadJump
2007-07-09 14:07 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-09 14:07 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-09 14:07 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 14:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 14:07 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 14:07 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-09 14:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-09 14:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-09 14:05 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-09 14:05 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-09 14:05 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-09 14:05 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-09 14:05 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-09 14:05 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-09 14:05 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-09 14:05 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-05 16:23 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-05 11:37 --------- d-------- C:\Program Files\Diablo II
2007-07-05 11:13 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-05 11:13 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-05 11:13 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-28 11:42 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-06-08 08:05 503808 --a------ C:\WINDOWS\system32\SpongeBob Squarepants.scr
2007-06-08 08:05 12288 --a------ C:\WINDOWS\system32\impborl.dll
2007-05-31 15:39 286720 --a------ C:\WINDOWS\iun506.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-11 15:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^Connect to Catapult Online.lnk]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\Connect to Catapult Online.lnk
backup=C:\WINDOWS\pss\Connect to Catapult Online.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^startsite.bat]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\startsite.bat
backup=C:\WINDOWS\pss\startsite.batStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeyz.exe Startup]
C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"EarthLinkMonitor"=2 (0x2)

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 14:52:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 14:55:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 14:55
C:\ComboFix2.txt ... 2007-08-18 18:47

--- E O F ---


hjt log

Logfile of HijackThis v1.99.1
Scan saved at 3:00:05 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\kille.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

looks clean.....am I

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 20 August 2007 - 01:16 AM

Yeah, looks quite promising indeed. :thumbsup: Anyway, let's check with Kaspersky scanner if it finds something.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please do an online scan with
Kaspersky
WebScanner


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest
    definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise
    Standard)

    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been
    infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a fresh hjt log.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 20 August 2007 - 06:04 PM

here is the kaspersky txt

KASPERSKY ONLINE SCANNER REPORT
Monday, August 20, 2007 5:59:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/08/2007
Kaspersky Anti-Virus database records: 386220
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 27137
Number of viruses found: 7
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 00:21:27

Infected Object Name / Virus Name / Last Action
C:\6A.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\6A.tmp NSIS: infected - 1 skipped
C:\6B.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\6B.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\6B.tmp NSIS: infected - 2 skipped
C:\avenger\backup.zip/avenger/hrum236.txt Infected: Trojan.Win32.Agent.ali skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\esylvan\Application Data\findfast.exe Infected: Trojan.Win32.Agent.avq skipped
C:\Documents and Settings\esylvan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\MSHist012007082020070821\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\ntuser.dat Object is locked skipped
C:\Documents and Settings\esylvan\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\esylvan\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe Infected: Trojan.Win32.Agent.avq skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe Infected: Trojan.Win32.Patched.af skipped
C:\Program Files\Yahoo!\browser\ybrwicon.exe Infected: Trojan.Win32.Patched.af skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP1\A0000037.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JEEBUZZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\Software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\System.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hanonvt.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
C:\WINDOWS\system32\spoolvs.exe Infected: Trojan.Win32.Agent.avq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT07198.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT0719b.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


hjt found nothing suspicious on new scan

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 21 August 2007 - 08:48 AM

Hi

Delete following files if found:
C:\6A.tmp
C:\6B.tmp
C:\avenger\backup.zip
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup
C:\WINDOWS\system32\hanonvt.ini
C:\WINDOWS\system32\spoolvs.exe

and folder if found:
c:\QooBox


After deleting run Kaspersky scanner again and post its log and a fresh hjt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 23 August 2007 - 12:54 PM

no suspicious files under hjt---kaspersky different story

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 23, 2007 12:51:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 23/08/2007
Kaspersky Anti-Virus database records: 388308
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 30791
Number of viruses found: 6
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 00:20:24

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/hrum236.txt Infected: Trojan.Win32.Agent.ali skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\esylvan\Application Data\findfast.exe Infected: Trojan.Win32.Agent.avq skipped
C:\Documents and Settings\esylvan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\MSHist012007082320070824\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\ntuser.dat Object is locked skipped
C:\Documents and Settings\esylvan\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe Infected: Trojan.Win32.Agent.avq skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe Infected: Trojan.Win32.Patched.af skipped
C:\Program Files\Yahoo!\browser\ybrwicon.exe Infected: Trojan.Win32.Patched.af skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP1\A0000037.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JEEBUZZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\Software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\System.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hanonvt.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
C:\WINDOWS\system32\spoolvs.exe Infected: Trojan.Win32.Agent.avq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT03c36.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT03c3a.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 23 August 2007 - 03:03 PM

Hi

Looks like some of those files I asked you to delete are still in the log. Let's try another way to get rid of them.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\avenger\backup.zip
C:\Documents and Settings\esylvan\Application Data\findfast.exe
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup
C:\WINDOWS\system32\hanonvt.ini
C:\WINDOWS\system32\spoolvs.exe


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then run Kaspersky scanner again and post its log and the resultant log of Combofix.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 23 August 2007 - 04:49 PM

here is the combo log

ComboFix 07-08-14.4 - "esylvan" 2007-08-23 15:47:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -5:00]
Command switches used :: C:\Documents and Settings\esylvan\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\avenger\backup.zip
C:\Documents and Settings\esylvan\Application Data\findfast.exe
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup
C:\WINDOWS\system32\hanonvt.ini
C:\WINDOWS\system32\spoolvs.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\avenger\backup.zip
C:\Documents and Settings\esylvan\Application Data\findfast.exe
C:\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup
C:\WINDOWS\system32\hanonvt.ini
C:\WINDOWS\system32\spoolvs.exe


((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))


2007-08-18 18:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 22:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-17 22:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-13 09:10 <DIR> d-------- C:\Program Files\Veoh Networks
2007-08-10 16:47 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\Pegasys Inc
2007-08-09 19:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-07-29 12:22 <DIR> d-------- C:\Program Files\Netflix
2007-07-24 11:37 <DIR> d-------- C:\DOCUME~1\esylvan\APPLIC~1\DivX
2007-07-24 03:25 129,784 --------- C:\WINDOWS\system32\pxafs.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 11:15 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-22 11:15 --------- d-------- C:\Program Files\Ultimate Game Pak
2007-08-22 11:15 --------- d-------- C:\Program Files\Messenger
2007-08-13 09:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-24 17:19 --------- d-------- C:\Program Files\GameHouse
2007-07-23 06:43 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-07-23 06:43 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-07-22 21:39 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\ArcSoft
2007-07-22 21:36 --------- d-------- C:\Program Files\ArcSoft
2007-07-22 20:37 --------- d-------- C:\Program Files\MARS
2007-07-22 20:36 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-21 19:10 --------- d-------- C:\Program Files\TrueSwitchAT&TYahoo
2007-07-16 23:00 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Yahoo!
2007-07-16 11:51 --------- d-------- C:\Program Files\Pure Networks
2007-07-16 11:51 --------- d-------- C:\Program Files\Common Files\AOL
2007-07-16 11:48 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\AOL
2007-07-14 16:10 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\TrueSwitch
2007-07-14 16:09 75384 --------- C:\WINDOWS\TrueInstall.exe
2007-07-12 14:59 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-07-12 14:58 74864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-07-12 14:58 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-07-12 14:58 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-07-12 14:58 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-07-12 14:58 115824 --a------ C:\WINDOWS\UnVet32.exe
2007-07-12 14:58 111728 --a------ C:\WINDOWS\AVShlExt.dll
2007-07-12 14:58 --------- d-------- C:\Program Files\Yahoo!
2007-07-12 14:47 --------- d-------- C:\Program Files\EarthLink TotalAccess
2007-07-11 15:21 --------- d-------- C:\Program Files\SBC Self Support Tool
2007-07-11 15:21 --------- d-------- C:\DOCUME~1\esylvan\APPLIC~1\Motive
2007-07-11 14:18 --------- d-------- C:\Program Files\Common Files\Motive
2007-07-11 14:05 --------- d-------- C:\Program Files\illiminable
2007-07-11 14:05 --------- d-------- C:\Program Files\Common Files\SureThing Shared
2007-07-11 12:51 --------- d-------- C:\Program Files\BroadJump
2007-07-09 14:07 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-09 14:07 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-09 14:07 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 14:07 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 14:07 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 14:07 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-09 14:07 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-09 14:05 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-09 14:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-09 14:05 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-09 14:05 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-09 14:05 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-09 14:05 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-09 14:05 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-09 14:05 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-09 14:05 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-09 14:05 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-09 14:05 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-05 16:23 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-05 11:37 --------- d-------- C:\Program Files\Diablo II
2007-07-05 11:13 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-05 11:13 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-05 11:13 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-28 11:42 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-06-08 08:05 503808 --a------ C:\WINDOWS\system32\SpongeBob Squarepants.scr
2007-06-08 08:05 12288 --a------ C:\WINDOWS\system32\impborl.dll
2007-05-31 15:39 286720 --a------ C:\WINDOWS\iun506.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-11 15:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^Connect to Catapult Online.lnk]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\Connect to Catapult Online.lnk
backup=C:\WINDOWS\pss\Connect to Catapult Online.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^esylvan^Start Menu^Programs^Startup^startsite.bat]
path=C:\Documents and Settings\esylvan\Start Menu\Programs\Startup\startsite.bat
backup=C:\WINDOWS\pss\startsite.batStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeyz.exe Startup]
C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"EarthLinkMonitor"=2 (0x2)

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 15:51:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 15:54:36
C:\ComboFix-quarantined-files.txt ... 2007-08-23 15:54
C:\ComboFix2.txt ... 2007-08-19 14:55
C:\ComboFix3.txt ... 2007-08-18 18:47

--- E O F ---
and it looks like there is still something there in kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 23, 2007 4:45:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 23/08/2007
Kaspersky Anti-Virus database records: 388371
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 28342
Number of viruses found: 6
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:22:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\esylvan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\MSHist012007082320070824\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\ntuser.dat Object is locked skipped
C:\Documents and Settings\esylvan\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\esylvan\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\SBC Self Support Tool\AsstCommon\log\MotiveDirectory.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\log\diag_svc.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\log\mad.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\log\mpbtn.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe Infected: Trojan.Win32.Patched.af skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Yahoo!\browser\ybrwicon.exe Infected: Trojan.Win32.Patched.af skipped
C:\QooBox\Quarantine\C\avenger\backup.zip.vir/avenger/hrum236.txt Infected: Trojan.Win32.Agent.ali skipped
C:\QooBox\Quarantine\C\avenger\backup.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\Documents and Settings\esylvan\Application Data\findfast.exe.vir Infected: Trojan.Win32.Agent.avq skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\HijackThis\backups\backup-20070817-000521-433-svchost.exe.vir Infected: Trojan.Win32.Agent.avq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20070817-143550.backup.vir Infected: Trojan.Win32.Qhost.mg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.20070817-143551.backup.vir Infected: Trojan.Win32.Qhost.mg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hanonvt.ini.vir Infected: Trojan-Downloader.Win32.Agent.bxx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP1\A0000037.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002897.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002898.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002899.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002900.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JEEBUZZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\Software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\System.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT005ca.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT02eab.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


whats next. geesh i hate the person who invented malware, trojans and what not, but i must admit i am learning a lot from working with you . thanks

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:35 AM

Posted 24 August 2007 - 07:07 PM

Hi

Good news is that infected files are in ComboFix backup (c:\QooBox) folder. We can delete it now. Post hjt log once again. :thumbsup:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 wildechylld

wildechylld
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 25 August 2007 - 12:59 PM

ok i ran hjt it said no suspicious files found out of curiousity i ran kaspersky again. i keep getting this trojan win 32. is this something i can get rid of...you didnt ask for this scan but will you take a look at it

KASPERSKY ONLINE SCANNER REPORT
Saturday, August 25, 2007 12:47:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 389807
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 30714
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:23:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\esylvan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\esylvan\ntuser.dat Object is locked skipped
C:\Documents and Settings\esylvan\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\esylvan\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe Infected: Trojan.Win32.Patched.af skipped
C:\Program Files\Yahoo!\browser\ybrwicon.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP1\A0000037.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002897.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002898.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002899.ini Infected: Trojan-Downloader.Win32.Agent.bxx skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP5\A0002900.exe Infected: Trojan.Win32.Agent.avq skipped
C:\System Volume Information\_restore{416B05A4-9A53-4B07-9F66-F12E2695AB6C}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JEEBUZZ.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\Software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\System.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT02365.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT02369.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users