Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Malware Problem


  • This topic is locked This topic is locked
10 replies to this topic

#1 vinster

vinster

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 02 September 2007 - 03:14 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:26 AM, on 9/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\System32\qssjbvnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS1\System32\wuauclt.exe
C:\My Downloads\gettygo.exe (aka hijackthis)
C:\WINDOWS1\System32\ebnprura.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com/
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A99C5134-D928-4E7F-A8B4-814828BCF038} - C:\WINDOWS1\System32\vtsrs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS1\system32\tuvstqo.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS1\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155340641965
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155341011226
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: tuvstqo - C:\WINDOWS1\SYSTEM32\tuvstqo.dll
O20 - Winlogon Notify: vtsrs - C:\WINDOWS1\System32\vtsrs.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\WINDOWS1\System32\qssjbvnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


This looks serious please help
thanks vin.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 02 September 2007 - 07:26 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 vinster

vinster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 02 September 2007 - 03:42 PM

Charles, thanks for your help.

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 3:24:21 PM 9/2/2007

Listing files found while scanning....

C:\WINDOWS1\System32\bvmoulcu.dll
C:\WINDOWS1\System32\hbgvvisu.ini
C:\WINDOWS1\system32\tuvstqo.dll
C:\WINDOWS1\System32\usivvgbh.dll
C:\WINDOWS1\System32\vtsrs.dll

Beginning removal...

Attempting to delete C:\WINDOWS1\System32\bvmoulcu.dll
C:\WINDOWS1\System32\bvmoulcu.dll Has been deleted!

Attempting to delete C:\WINDOWS1\System32\hbgvvisu.ini
C:\WINDOWS1\System32\hbgvvisu.ini Has been deleted!

Attempting to delete C:\WINDOWS1\system32\tuvstqo.dll
C:\WINDOWS1\system32\tuvstqo.dll Has been deleted!

Attempting to delete C:\WINDOWS1\System32\usivvgbh.dll
C:\WINDOWS1\System32\usivvgbh.dll Has been deleted!

Attempting to delete C:\WINDOWS1\System32\vtsrs.dll
C:\WINDOWS1\System32\vtsrs.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:36 PM, on 9/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\System32\qssjbvnd.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\gettygo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com/
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D5C47184-46F4-4B23-9039-703AF30C2D1A} - C:\WINDOWS1\System32\vtsrs.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS1\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155340641965
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155341011226
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\WINDOWS1\System32\qssjbvnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

thanks for the assistance. What next?

Vin

Edited by vinster, 02 September 2007 - 04:22 PM.


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 02 September 2007 - 04:58 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

You're using an outdated version of Java (the latest one is Java Runtime Environment (JRE) 6u2), and these can be exploited by malware, so you need to update it as soon as possible. Please update and remove the older versions from your computer. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java (J2SE Runtime Environment ...)
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6u2

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {D5C47184-46F4-4B23-9039-703AF30C2D1A} - C:\WINDOWS1\System32\vtsrs.dll (file missing)
O23 - Service: DomainService - - C:\WINDOWS1\System32\qssjbvnd.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\Windows\System32\wsaupdater.exe
C:\WINDOWS1\System32\qssjbvnd.exe

Copy and paste the following text into Notepad:
sc stop DomainService
sc delete DomainService
Save this as "services.bat". Choose to save as *all files and place it on your Desktop.
Double-click services.bat.

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

I'd like to see the Combofix log, along with a new HjackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 vinster

vinster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 02 September 2007 - 06:19 PM

Charles thanks for the help.

Scan saved at 6:13:20 PM, on 9/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\My Downloads\gettygo.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS1\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155340641965
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155341011226
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

ComboFix 07-08-30.3 - "Vinny" 2007-09-02 17:59:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.42 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS1\cookies.ini
C:\WINDOWS1\system32\awftlvua.exe
C:\WINDOWS1\system32\bgirksig.ini
C:\WINDOWS1\system32\bofoydal.dll
C:\WINDOWS1\system32\dtiienqo.dll
C:\WINDOWS1\system32\emqscqhm.ini
C:\WINDOWS1\system32\f02WtR
C:\WINDOWS1\system32\fegenvtq.dll
C:\WINDOWS1\system32\giskrigb.dll
C:\WINDOWS1\system32\H7
C:\WINDOWS1\system32\iiffffe.dll
C:\WINDOWS1\system32\ijdhqxvu.dll
C:\WINDOWS1\system32\klodbmnd.exe
C:\WINDOWS1\system32\lhgksyhh.dll
C:\WINDOWS1\system32\lvquuflp.dll
C:\WINDOWS1\system32\mhqcsqme.dll
C:\WINDOWS1\system32\msnav32.ax
C:\WINDOWS1\system32\mywnfkem.exe
C:\WINDOWS1\system32\packet.dll
C:\WINDOWS1\system32\plfuuqvl.ini
C:\WINDOWS1\system32\pvvkpxyl.exe
C:\WINDOWS1\system32\qfxiayrg.exe
C:\WINDOWS1\system32\qoekmvak.exe
C:\WINDOWS1\system32\sgbaqydt.ini
C:\WINDOWS1\system32\srstv.bak1
C:\WINDOWS1\system32\srstv.bak2
C:\WINDOWS1\system32\srstv.ini
C:\WINDOWS1\system32\srstv.ini2
C:\WINDOWS1\system32\srstv.tmp
C:\WINDOWS1\system32\tdyqabgs.dll
C:\WINDOWS1\system32\tnqakpfw.dll
C:\WINDOWS1\system32\uvxqhdji.ini
C:\WINDOWS1\system32\wpcap.dll
C:\WINDOWS1\system32\xnquijbd.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-02 17:54 51,200 --a------ C:\WINDOWS1\nircmd.exe
2007-09-02 15:24 602,160 --a------ C:\WINDOWS1\system32\ssurdbse.exe
2007-09-02 15:24 <DIR> d-------- C:\VundoFix Backups
2007-09-02 03:02 602,160 --a------ C:\WINDOWS1\system32\ebnprura.exe
2007-09-02 02:55 602,160 --a------ C:\WINDOWS1\system32\ncilqexv.exe
2007-09-02 01:30 602,160 --a------ C:\WINDOWS1\system32\kpbtoeoc.exe
2007-09-01 23:08 602,160 --a------ C:\WINDOWS1\system32\qwubdvci.exe
2007-09-01 22:40 <DIR> d-------- C:\WINDOWS1\system32\ActiveScan
2007-09-01 22:17 602,160 --a------ C:\WINDOWS1\system32\mddtasvu.exe
2007-09-01 22:00 602,160 --a------ C:\WINDOWS1\system32\dvlbpcvc.exe
2007-09-01 21:31 602,160 --a------ C:\WINDOWS1\system32\oksuyely.exe
2007-08-31 16:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-31 16:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-08-31 16:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 14:44 <DIR> d--hs---- C:\WINDOWS1\dmluIGxvdnVsbG8
2007-08-31 14:44 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-31 14:43 <DIR> d-------- C:\WINDOWS1\system32\drvr2
2007-08-31 14:43 <DIR> d-------- C:\WINDOWS1\system32\cfig322
2007-08-31 14:43 <DIR> d-------- C:\WINDOWS1\system32\capcom
2007-08-25 17:33 <DIR> d-------- C:\Program Files\Google
2007-08-25 17:33 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\Google
2007-08-07 13:58 8,320 --a------ C:\WINDOWS1\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINDOWS1\system32\drivers\NSDriver.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2017-05-19 22:08 --------- d-------- C:\Program Files\Common Files\Nullsoft
2017-05-19 22:06 --------- d-------- C:\Program Files\Real
2017-05-19 22:06 --------- d-------- C:\Program Files\Common Files\Real
2017-05-19 22:02 --------- d-------- C:\Program Files\Common Files\AOL
2017-04-17 19:54 --------- d-------- C:\Program Files\Norton SystemWorks
2017-04-17 19:53 --------- d-------- C:\Program Files\Symantec
2017-04-17 19:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2017-04-17 19:49 --------- d-------- C:\Program Files\Microsoft Plus!
2017-04-17 19:48 --------- d-------- C:\Program Files\Common Files\InstallShield
2017-04-17 19:35 --------- d-------- C:\Program Files\Microsoft ActiveSync
2017-04-17 18:12 32768 ---hs---- C:\VIDEOROM.BIN
2017-04-17 18:09 266 ---hs---- C:\Program Files\desktop.ini
2017-04-17 18:09 11079 --a------ C:\Program Files\folder.htt
2007-07-11 14:37 6272 --a------ C:\WINDOWS1\system32\drivers\AWRTPD.sys
2004-08-01 21:04 75776 --a------ C:\DOCUME~1\VINNY\APPLIC~1\asao.exe
2004-07-21 23:33 75776 --a------ C:\DOCUME~1\GUEST\APPLIC~1\aiti.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS1\dmluIGxvdnVsbG8\xA5RK3USxBpPv3f.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-14 13:01]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS1\System32\Drivers\NPDRIVER.SYS


Contents of the 'Scheduled Tasks' folder
2007-09-02 23:06:18 C:\WINDOWS1\Tasks\Symantec NetDetect.job
2007-08-31 22:30:02 C:\WINDOWS1\Tasks\Norton SystemWorks One Button Checkup.job
2007-09-01 01:00:02 C:\WINDOWS1\Tasks\Norton AntiVirus - Scan my computer.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 18:06:38
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-02 18:08:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-02 18:08

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 03 September 2007 - 02:03 PM

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS1\system32\ssurdbse.exe
C:\WINDOWS1\system32\ebnprura.exe
C:\WINDOWS1\system32\ncilqexv.exe
C:\WINDOWS1\system32\kpbtoeoc.exe
C:\WINDOWS1\system32\qwubdvci.exe
C:\WINDOWS1\system32\mddtasvu.exe
C:\WINDOWS1\system32\dvlbpcvc.exe
C:\WINDOWS1\system32\oksuyely.exe
C:\DOCUME~1\VINNY\APPLIC~1\asao.exe
C:\DOCUME~1\GUEST\APPLIC~1\aiti.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now. Boot into Safe Mode.

Then navigate to and delete these folders:

C:\WINDOWS1\dmluIGxvdnVsbG8
C:\WINDOWS1\system32\drvr2
C:\WINDOWS1\system32\cfig322
C:\WINDOWS1\system32\capcom

Then boot back into Normal Mode again.
Scan once more with Combofix and psot the log in your reply, along with letting me know how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 vinster

vinster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 04 September 2007 - 07:00 PM

Charles, thanks again. Things seem to be running fine.
There were no Pending File Rename Operations prompts.
I seem to have two Windows XP on the hard drive. Windows and Windows1.
Should I remove the first "Windows" from my computer or are there any programs that depend on this?

ComboFix 07-08-30.3 - "Vinny" 2007-09-04 18:47:21.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.50 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 18:31 <DIR> d-------- C:\!KillBox
2007-09-02 17:54 51,200 --a------ C:\WINDOWS1\nircmd.exe
2007-09-02 15:24 <DIR> d-------- C:\VundoFix Backups
2007-09-01 22:40 <DIR> d-------- C:\WINDOWS1\system32\ActiveScan
2007-08-31 16:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-31 16:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-08-31 16:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 14:44 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-25 17:33 <DIR> d-------- C:\Program Files\Google
2007-08-25 17:33 <DIR> d-------- C:\DOCUME~1\Vinny\APPLIC~1\Google
2007-08-07 13:58 8,320 --a------ C:\WINDOWS1\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINDOWS1\system32\drivers\NSDriver.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2017-05-19 22:08 --------- d-------- C:\Program Files\Common Files\Nullsoft
2017-05-19 22:06 --------- d-------- C:\Program Files\Real
2017-05-19 22:06 --------- d-------- C:\Program Files\Common Files\Real
2017-05-19 22:02 --------- d-------- C:\Program Files\Common Files\AOL
2017-04-17 19:54 --------- d-------- C:\Program Files\Norton SystemWorks
2017-04-17 19:53 --------- d-------- C:\Program Files\Symantec
2017-04-17 19:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2017-04-17 19:49 --------- d-------- C:\Program Files\Microsoft Plus!
2017-04-17 19:48 --------- d-------- C:\Program Files\Common Files\InstallShield
2017-04-17 19:35 --------- d-------- C:\Program Files\Microsoft ActiveSync
2017-04-17 18:12 32768 ---hs---- C:\VIDEOROM.BIN
2017-04-17 18:09 266 ---hs---- C:\Program Files\desktop.ini
2017-04-17 18:09 11079 --a------ C:\Program Files\folder.htt
2007-07-11 14:37 6272 --a------ C:\WINDOWS1\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((( snapshot_2007-09-02_180720.52 )))))))))))))))))))))))))))))))))))))))))

----a-w 163,328 2007-03-13 15:57:12 C:\WINDOWS1\erdnt\subs\F3M\ERDNT.EXE


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-14 13:01]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS1\System32\Drivers\NPDRIVER.SYS


Contents of the 'Scheduled Tasks' folder
2007-09-04 23:46:02 C:\WINDOWS1\Tasks\Symantec NetDetect.job
2007-08-31 22:30:02 C:\WINDOWS1\Tasks\Norton SystemWorks One Button Checkup.job
2007-09-01 01:00:02 C:\WINDOWS1\Tasks\Norton AntiVirus - Scan my computer.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 18:49:16
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 18:50:31
C:\ComboFix2.txt ... 2007-09-02 18:09
C:\ComboFix-quarantined-files.txt ... 2007-09-04 18:50

thanks again,
Vinny

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 05 September 2007 - 11:48 AM

I seem to have two Windows XP on the hard drive. Windows and Windows1.
Should I remove the first "Windows" from my computer or are there any programs that depend on this?

That kind of thing isn't really my speciality, but I would think you should keep it; it's much better to be safe than sorry. Windows probably won't let you delete it anyway because it contains system files.

Aside from this, I think we're done! Great job! :thumbsup:
Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

Edited by rookie147, 05 September 2007 - 11:48 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 vinster

vinster
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 05 September 2007 - 06:49 PM

YEAH! Thanks for all your help.

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 September 2007 - 04:34 AM

You're very welcome, vinster :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 25 September 2007 - 04:37 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users