Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Infection - Virtumundo (vundo), Zeno, Psyme


  • This topic is locked This topic is locked
8 replies to this topic

#1 otley

otley

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 19 August 2007 - 10:47 PM

Hello,

I have a PC that is running Windows XP and is infected. I continue to get popups from localsrv.net and other sites. The programs that I have run so far have identified me as being infected with:
Virtumundo (VUNDO)
Zeno Search Assistant
Think-Adz Search Assistant - When I remove this in "Add/Delete Programs" it always comes back.
PSYME
There could very well be more things that are wrong, too, but this is what I have seen identified.

I ran "SpyBot Search and Destroy", but it was not able to remove the Virtumundo or Zeno -- the machine went to a blue screen when the process got to the point where it was trying to remove them. I ran this several times and always got the same result.

Please Help -- I would greatly appreciate it.

Thank you.

-------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:08 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\owinpmdt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\putty.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINDOWS\system32\vovsjutl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\fccbyvs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {EE5F879C-1E29-4477-8294-825595C34C6D} - C:\WINDOWS\system32\pmnnl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [{A8-8A-A1-17-ZN}] C:\WINDOWS\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinpmdt.exe CHD003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: fccbyvs - fccbyvs.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8222 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 AM

Posted 20 August 2007 - 05:53 AM

Hello and welcome aboard :thumbsup:

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 20 August 2007 - 10:42 AM

Hello,
Thank you very much for your help.

Here is the ComboFix log....

-----------------

ComboFix 07-08-17.2 - "Josh" 2007-08-20 8:26:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.448 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Josh\Desktop.\internet explorer.lnk
C:\DOCUME~1\Josh\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\Common Files\tsks~1
C:\Program Files\mantec~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\aqkgcwkm.dll
C:\WINDOWS\system32\drapjgnb.dll
C:\WINDOWS\system32\dumjpmnk.dll
C:\WINDOWS\system32\eebhegdt.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\ffuyekps.dll
C:\WINDOWS\system32\hfgbyecu.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\nogfpuhk.dll
C:\WINDOWS\system32\nplvihnf.dll
C:\WINDOWS\system32\oexkamjd.dll
C:\WINDOWS\system32\ofytfoeq.dll
C:\WINDOWS\system32\owinpmdt.exe
C:\WINDOWS\system32\qauoesav.dll
C:\WINDOWS\system32\qlibkwku.dll
C:\WINDOWS\system32\srpgwdxd.dll
C:\WINDOWS\system32\thysvrtf.dll
C:\WINDOWS\system32\vovsjutl.dll
C:\WINDOWS\system32\wcdvsmlw.dll
C:\WINDOWS\system32\winpfz32.sys


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 08:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 16:02 <DIR> d-------- C:\Program Files\BruteForce
2007-08-19 16:02 <DIR> d-------- C:\New Folder
2007-08-19 15:50 <DIR> d-------- C:\VundoFix Backups
2007-08-19 09:08 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-08-18 18:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 17:01 <DIR> d-------- C:\DOCUME~1\Josh\.housecall6.6
2007-08-18 15:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 19:11 <DIR> d-------- C:\WINDOWS\pss
2007-08-17 07:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-16 21:26 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-16 21:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-16 21:26 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-16 21:26 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-16 21:26 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-16 21:26 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-16 21:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-16 21:26 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\PC Tools
2007-08-16 21:24 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-08-16 21:22 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Google
2007-08-16 21:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-16 21:20 <DIR> d-------- C:\Program Files\Google
2007-08-16 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-16 07:56 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-08-16 07:56 13,824 --a------ C:\WINDOWS\plite731.exe
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\tmps2
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\syschks22
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\SS1
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\ICM2
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\dll2
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\chkfig5
2007-08-16 07:56 <DIR> d-------- C:\Temp
2007-08-13 21:34 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-08-13 21:34 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-08-13 21:34 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-08-13 21:34 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-08-13 21:34 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-08-13 21:34 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-08-13 21:34 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2007-08-13 21:34 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-08-13 21:34 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-08-13 21:34 217,073 --a------ C:\WINDOWS\meta4.exe
2007-08-13 21:34 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-08-13 21:32 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-08-13 21:32 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-08-13 21:32 <DIR> d-------- C:\Program Files\eRightSoft
2007-08-13 21:31 28,088,805 --a------ C:\Program Files\SUPERsetup200723.exe
2007-08-13 20:17 15,796,076 --a------ C:\Program Files\apex-video-converter-super.exe
2007-08-13 20:17 <DIR> d-------- C:\Apex
2007-08-05 20:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-05 20:58 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-08-05 20:55 <DIR> d-------- C:\Program Files\Kodak
2007-08-05 20:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-05 20:45 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-05 20:45 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-31 17:26 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-07-26 21:41 <DIR> d-------- C:\Program Files\DellSupport
2007-07-26 21:16 <DIR> d-------- C:\DOCUME~1\Sarah\.onion
2007-07-21 17:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-21 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-21 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 20:37 --------- d-------- C:\Program Files\Trend Micro
2007-08-19 16:01 466 --a------ C:\Program Files\bfu.htm
2007-08-16 20:36 --------- d-------- C:\Program Files\Viewpoint
2007-08-16 18:08 --------- d--h----- C:\DOCUME~1\Josh\APPLIC~1\Move Networks
2007-07-27 08:00 --------- d-------- C:\Program Files\Dell
2007-07-26 21:41 --------- d--h----- C:\DOCUME~1\Josh\APPLIC~1\Gtek
2007-06-26 08:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 07:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 01:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 01:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 01:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 01:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 01:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 01:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 01:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 01:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 01:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 01:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 01:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 01:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 01:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 01:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 01:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 01:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 01:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 03:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-07-14 19:31 3709631 --a------ C:\Program Files\phex_2.8.8.97.exe
2006-02-27 01:04 421888 --a------ C:\Program Files\putty.exe
2005-12-07 07:21:14 56 --sh--r C:\WINDOWS\system32\497C6A95AC.sys
2005-12-07 07:21:14 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
C:\WINDOWS\system32\fccbyvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5F879C-1E29-4477-8294-825595C34C6D}]
C:\WINDOWS\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"P17Helper"="P17.dll" [2004-06-10 15:51 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 15:30]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe" [2006-06-16 21:46]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"plite731"="C:\WINDOWS\plite731.exe" [2007-08-16 07:56]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]
"{A8-8A-A1-17-ZN}"="C:\WINDOWS\system32\dwdsrngt.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-05 13:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe [2006-02-27 00:56:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\fccbyvs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyvs]
fccbyvs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^swarmcast.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\swarmcast.lnk
backup=C:\WINDOWS\pss\swarmcast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horyjy]
C:\Program Files\Windows Media Player\horyjy22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1143912361\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"ERSvc"=2 (0x2)

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-08-17 04:24:52 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 08:31:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 8:33:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 08:33

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 AM

Posted 20 August 2007 - 11:43 AM

Open notepad and copy/paste the text in the quotebox into it

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5F879C-1E29-4477-8294-825595C34C6D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
"{A8-8A-A1-17-ZN}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyvs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horyjy]

File::
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\pmnnl.dll
C:\Program Files\Windows Media Player\horyjy22011.exe
C:\WINDOWS\system32\fccbyvs.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\plite731.exe

Folder::
C:\WINDOWS\system32\tmps2
C:\WINDOWS\system32\syschks22

Dirlook::
C:\New Folder
C:\DOCUME~1\Sarah\.onion


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 20 August 2007 - 06:33 PM

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :thumbsup:


Hello. Here are the results....
-------------------------------------------

ComboFix 07-08-17.2 - "Josh" 2007-08-20 16:23:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Josh\Desktop\CFScript.txt

FILE::
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\pmnnl.dll
C:\Program Files\Windows Media Player\horyjy22011.exe
C:\WINDOWS\system32\fccbyvs.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\plite731.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\system32\syschks22
C:\WINDOWS\system32\syschks22\hhadz002.exe
C:\WINDOWS\system32\tmps2


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 08:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 16:02 <DIR> d-------- C:\Program Files\BruteForce
2007-08-19 16:02 <DIR> d-------- C:\New Folder
2007-08-19 15:50 <DIR> d-------- C:\VundoFix Backups
2007-08-19 09:08 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-08-18 18:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 17:01 <DIR> d-------- C:\DOCUME~1\Josh\.housecall6.6
2007-08-18 15:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 19:11 <DIR> d-------- C:\WINDOWS\pss
2007-08-17 07:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-16 21:26 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-16 21:26 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-16 21:26 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-16 21:26 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-16 21:26 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-08-16 21:26 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-16 21:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-16 21:26 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\PC Tools
2007-08-16 21:24 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-08-16 21:22 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Google
2007-08-16 21:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-16 21:20 <DIR> d-------- C:\Program Files\Google
2007-08-16 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\SS1
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\ICM2
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\dll2
2007-08-16 07:56 <DIR> d-------- C:\WINDOWS\system32\chkfig5
2007-08-16 07:56 <DIR> d-------- C:\Temp
2007-08-13 21:34 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-08-13 21:34 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-08-13 21:34 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-08-13 21:34 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-08-13 21:34 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-08-13 21:34 394,240 --a------ C:\WINDOWS\system32\Smab.dll
2007-08-13 21:34 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2007-08-13 21:34 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-08-13 21:34 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-08-13 21:34 217,073 --a------ C:\WINDOWS\meta4.exe
2007-08-13 21:34 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-08-13 21:32 31,232 -rahs---- C:\WINDOWS\system32\msfDX.dll
2007-08-13 21:32 163,328 -rahs---- C:\WINDOWS\system32\flvDX.dll
2007-08-13 21:32 <DIR> d-------- C:\Program Files\eRightSoft
2007-08-13 21:31 28,088,805 --a------ C:\Program Files\SUPERsetup200723.exe
2007-08-13 20:17 15,796,076 --a------ C:\Program Files\apex-video-converter-super.exe
2007-08-13 20:17 <DIR> d-------- C:\Apex
2007-08-05 20:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-05 20:58 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-08-05 20:55 <DIR> d-------- C:\Program Files\Kodak
2007-08-05 20:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-05 20:45 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-05 20:45 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-07-31 17:26 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-07-26 21:41 <DIR> d-------- C:\Program Files\DellSupport
2007-07-26 21:16 <DIR> d-------- C:\DOCUME~1\Sarah\.onion
2007-07-21 17:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-21 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-21 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 20:37 --------- d-------- C:\Program Files\Trend Micro
2007-08-19 16:01 466 --a------ C:\Program Files\bfu.htm
2007-08-16 20:36 --------- d-------- C:\Program Files\Viewpoint
2007-08-16 18:08 --------- d--h----- C:\DOCUME~1\Josh\APPLIC~1\Move Networks
2007-07-27 08:00 --------- d-------- C:\Program Files\Dell
2007-07-26 21:41 --------- d--h----- C:\DOCUME~1\Josh\APPLIC~1\Gtek
2007-06-26 08:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 07:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 01:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 01:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 01:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 01:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 01:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 01:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 01:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 01:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 01:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 01:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 01:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 01:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 01:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 01:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 01:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 01:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 01:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 03:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-07-14 19:31 3709631 --a------ C:\Program Files\phex_2.8.8.97.exe
2006-02-27 01:04 421888 --a------ C:\Program Files\putty.exe
2005-12-07 07:21:14 56 --sh--r C:\WINDOWS\system32\497C6A95AC.sys
2005-12-07 07:21:14 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\New Folder ----


---- Directory of C:\DOCUME~1\Sarah\.onion ----

2007-07-26 21:16 94 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\20070727\namepick.props.weak
2007-07-26 21:16 94 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\20070727\namepick.props.weak
2007-07-26 21:16 8192 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\metadata-meta.pag
2007-07-26 21:16 8192 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\metadata-index.pag
2007-07-26 21:16 8192 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\cache-meta.pag
2007-07-26 21:16 8192 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\cache-index.pag
2007-07-26 21:16 751 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\20070727\00\ws.swarmcast.netgatewayServicesgatewayPolicy.xml-0-0.dat
2007-07-26 21:16 4300 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\20070727\01\ws.swarmcast.netmirrorServicesdomainPolicy.xml-0-0.dat
2007-07-26 21:16 356 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\20070727\01\ws.swarmcast.netgatewayServicesgatewayPolicy.xml-0-0.head
2007-07-26 21:16 356 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\20070727\00\ws.swarmcast.netmirrorServicesdomainPolicy.xml-0-0.head
2007-07-26 21:16 27509 --a------ C:\DOCUME~1\Sarah\.onion\swarmcast-log.txt
2007-07-26 21:16 0 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\metadata-meta.dir
2007-07-26 21:16 0 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\metadata\metadata-index.dir
2007-07-26 21:16 0 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\cache-meta.dir
2007-07-26 21:16 0 --a------ C:\DOCUME~1\Sarah\.onion\Swarmcast\cache\cache-index.dir


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
C:\WINDOWS\system32\fccbyvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5F879C-1E29-4477-8294-825595C34C6D}]
C:\WINDOWS\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"P17Helper"="P17.dll" [2004-06-10 15:51 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 15:30]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe" [2006-06-16 21:46]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"plite731"="C:\WINDOWS\plite731.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-12 13:19]
"{A8-8A-A1-17-ZN}"="C:\WINDOWS\system32\dwdsrngt.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-05 13:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe [2006-02-27 00:56:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\fccbyvs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbyvs]
fccbyvs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^swarmcast.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\swarmcast.lnk
backup=C:\WINDOWS\pss\swarmcast.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horyjy]
C:\Program Files\Windows Media Player\horyjy22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1143912361\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"ERSvc"=2 (0x2)

R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-17 04:24:52 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 16:24:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 16:25:06
C:\ComboFix-quarantined-files.txt ... 2007-08-20 16:25
C:\ComboFix2.txt ... 2007-08-20 08:33

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 AM

Posted 21 August 2007 - 08:16 AM

Is Swarmcast something you use? :thumbsup:

Please post a fresh HijackThis log and also describe all your current issues with the comp..
Hi there, stranger!

#7 otley

otley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 21 August 2007 - 09:58 AM

Hello,

I believe that I downloaded Swarmcast as part of the software I needed to watch baseball games online with the "MLB.tv Mosaic" program. However, I almost never use that, and can delete it if needed. Is that program a security risk? Or does it just slow down the machine?

As far as I can tell, things seem to be running better. The pop-ups are gone!!! Hurrah!!! Thank you!!

There are still a bunch of open processes running in the background even when I am not doing anything. Should I change the MSConfig settings to not run some of those, or are they mostly harmless?

Below is my new HiJack This Log.

Thanks for all your help!!

-----------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:38 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\fccbyvs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7015 bytes

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 AM

Posted 21 August 2007 - 10:16 AM

Nope, I don't think Swarmcast is anything to worry about, just asked since I haven't heard of it before. :thumbsup:

Checkfix the following entries with HijackThis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\fccbyvs.dll (file missing)


====

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for ALL previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have next icon next to it: Posted Image
    Select them and click Remove once at a time.
  • Now please install the Java Runtime Environment (JRE) 6u2 manually..
  • Note to reboot the computer after updating:http://java.sun.com/javase/downloads/index.jsp
[/list]Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

=====

If you want to remove some of the startup entries from starting up on boot, lets do it with HijackThis rather than MSConfig :flowers:

These are safe to fix. They are legit though. You can run the programs if you need to, no need for them in the startup.

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


====

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 AM

Posted 27 August 2007 - 06:24 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users