Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Got All The "goodies"


  • Please log in to reply
9 replies to this topic

#1 steve180

steve180

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 11 September 2007 - 11:30 AM

I got a major spyware/malware problem on my work computer and need help please!

I'm running Windows XP media edition and I'm getting popups like crazy from drivecleaner, winantivirus, powered by zedo, and when I checked on ad-aware I had a big threat called virtumonde.

I also used smitfraud fix, vundo fix and rogue remover to scan as well. They always say they remove it, but then the same programs always come back on the next scan with any of these programs and also spybot as well.

It seems to clean these viruses out, but then on the restart they seem to always return. Here's my hijack this log, I hope somebody can help me before I get canned. Thanks alot !!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:34 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\btcgfmty.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\cfaixfgA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 72.25.82.57 web
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [cfaixfgA] C:\WINDOWS\cfaixfgA.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{0B-BB-B1-15-ZN}] C:\DOCUME~1\admin\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\yuilyubj.dll",forkonce
O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] \servce.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\admin\Local Settings\Temp\thinksnet.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149644006627
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_2/controls/YBUICtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://andale.webex.com/client/T23L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFAB265-AA09-4557-8803-A908D633ED8B}: NameServer = 66.51.205.100,206.13.29.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\btcgfmty.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7927 bytes

BC AdBot (Login to Remove)

 


m

#2 sjpritch25

sjpritch25

  • Security Colleague
  • 893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:42 AM

Posted 24 September 2007 - 09:17 PM

steve180, sorry for the delay

If you still require assistance, please post a fresh Hijackthis log. Thanks :thumbsup:
Microsoft MVP Consumer Security--2007-2010

#3 steve180

steve180
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 25 September 2007 - 11:04 AM

steve180, sorry for the delay

If you still require assistance, please post a fresh Hijackthis log. Thanks :thumbsup:



no problem, thank you for helping me. I appreciate what you guys do for us that aren't as smart.

here's the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:00 AM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\cfaixfgA.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Andale Lister Pro\AndaleListerPro.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 72.25.82.57 web
O1 - Hosts: 72.25.82.210 sql1
O1 - Hosts: 72.25.82.60 server8
O2 - BHO: (no name) - {042F29F1-6AF9-4496-B3C7-B20743075383} - C:\Program Files\MSN\tecohotef83122.dll (file missing)
O2 - BHO: (no name) - {043FB855-F882-43B4-8991-4DB5B5B7331F} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C1C4271-64CA-4CEA-87F0-A5E285B477DE} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {267C3EB4-7FB9-470C-86B6-DE934CA52288} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {29C1B65E-8189-4647-8D0F-5A1656E18FE5} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: 0 - {405E01FC-ABDA-4636-A8BF-ECE881971C2F} - C:\Program Files\Common Files\xunab.dll (file missing)
O2 - BHO: (no name) - {4109DA40-2459-446A-A47E-4AF85DCB9329} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {4D6F7B21-FBD2-4353-8050-25184CAED428} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {4FD5968C-1BFE-486A-99D7-E25DB90C20C7} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {69F1A104-A250-48AA-9CE6-8CBDA49B28F4} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {7D653237-BD56-416C-A6DD-7D1A43CB1AA0} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B1359CA-4D7C-42BE-8723-72BFC8D12A91} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {B8F42435-022F-4A4F-A86E-EECD7FEE9CA3} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {BDC482DE-40A8-49C6-A67C-F3F13461AFFB} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {C18B13BF-752F-4144-B8BE-D7693CDE6EB4} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {C68C1C9E-A412-4CB0-85B6-3C4198F988C4} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O2 - BHO: (no name) - {F65071CA-B9DD-49B1-BEB8-3B1F6C1AF427} - C:\WINDOWS\system32\vtstr.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [cfaixfgA] C:\WINDOWS\cfaixfgA.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] \servce.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149644006627
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_2/controls/YBUICtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://andale.webex.com/client/T23L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFAB265-AA09-4557-8803-A908D633ED8B}: NameServer = 66.51.205.100,206.13.29.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8465 bytes

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:42 AM

Posted 25 September 2007 - 06:51 PM

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#5 steve180

steve180
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 26 September 2007 - 11:12 AM

ok, done.

combo fix log:

ComboFix 07-09-21.2 - "admin" 2007-09-26 9:01:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.259 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-17 16:23 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\ICQ
2007-09-17 16:22 <DIR> d-------- C:\Program Files\ICQ6
2007-09-17 16:21 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\InstallShield
2007-09-14 10:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-14 09:21 82,496 --a------ C:\WINDOWS\system32\amlxlgcu.dll
2007-09-13 14:25 82,496 --a------ C:\WINDOWS\system32\hrdfigni.dll
2007-09-13 08:56 82,496 --a------ C:\WINDOWS\system32\shpshplc.dll
2007-09-12 09:07 82,496 --a------ C:\WINDOWS\system32\nlddfunc.dll
2007-09-11 14:34 82,496 --a------ C:\WINDOWS\system32\chynenjx.dll
2007-09-11 12:44 82,496 --a------ C:\WINDOWS\system32\xkjfqqts.dll
2007-09-11 12:31 82,496 --a------ C:\WINDOWS\system32\gdfhjwul.dll
2007-09-11 09:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 09:22 82,496 --a------ C:\WINDOWS\system32\orjqfgsx.dll
2007-09-11 09:10 82,496 --a------ C:\WINDOWS\system32\enifqvkf.dll
2007-09-10 17:11 82,496 --a------ C:\WINDOWS\system32\ekcjtdsg.dll
2007-09-10 17:06 82,496 --a------ C:\WINDOWS\system32\hopogbum.dll
2007-09-10 16:56 82,496 --a------ C:\WINDOWS\system32\hlybqvfe.dll
2007-09-10 16:44 82,496 --a------ C:\WINDOWS\system32\nslndarv.dll
2007-09-10 16:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-10 15:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-10 15:22 82,496 --a------ C:\WINDOWS\system32\fxoecrmk.dll
2007-09-10 14:53 82,496 --a------ C:\WINDOWS\system32\mwsvlfsg.dll
2007-09-10 13:23 82,496 --a------ C:\WINDOWS\system32\tfhbypqh.dll
2007-09-10 08:55 82,496 --a------ C:\WINDOWS\system32\irknwmic.dll
2007-09-07 14:41 82,496 --a------ C:\WINDOWS\system32\pmvxpunm.dll
2007-09-07 09:15 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-09-07 09:07 82,496 --a------ C:\WINDOWS\system32\qtppwgun.dll
2007-09-07 08:55 82,496 --a------ C:\WINDOWS\system32\vmhxjpap.dll
2007-09-06 08:46 82,496 --a------ C:\WINDOWS\system32\hhtkdssi.dll
2007-09-05 10:00 202 --ah----- C:\aaw7boot.cmd
2007-09-04 21:28 82,496 --a------ C:\WINDOWS\system32\lyguxanb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 09:05 43083296 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-26 09:01 888096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-26 08:56 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Skype
2007-09-25 16:32 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-09-24 09:18 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\OpenOffice.org2
2007-09-24 09:17 84848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-24 09:17 567044 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-17 16:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-21 09:25 1617209 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 09:40 1767565 ---hs---- C:\WINDOWS\system32\rqstv.ini2
2007-07-30 09:34 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Sunbelt Software
2007-07-30 09:08 1764107 ---hs---- C:\WINDOWS\system32\rqstv.bak1
2007-07-30 09:07 1763017 ---hs---- C:\WINDOWS\system32\rqstv.bak2
2007-07-27 11:24 106 --a------ C:\delete.bat
2007-07-27 09:19 126016 --a------ C:\WINDOWS\system32\aouhpyxt.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 12:12 246 --a------ C:\Program Files\Common Files\xunab
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2006-07-11 10:09 28672 --a------ C:\DOCUME~1\admin\atwbxdet.dll
1989-12-12 17:10:10 776,352 --sh--r C:\WINDOWS\cfaixfgA.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{042F29F1-6AF9-4496-B3C7-B20743075383}]
C:\Program Files\MSN\tecohotef83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{043FB855-F882-43B4-8991-4DB5B5B7331F}]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1C4271-64CA-4CEA-87F0-A5E285B477DE}]
C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{267C3EB4-7FB9-470C-86B6-DE934CA52288}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29C1B65E-8189-4647-8D0F-5A1656E18FE5}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405E01FC-ABDA-4636-A8BF-ECE881971C2F}]
C:\Program Files\Common Files\xunab.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4109DA40-2459-446A-A47E-4AF85DCB9329}]
C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D6F7B21-FBD2-4353-8050-25184CAED428}]
C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD5968C-1BFE-486A-99D7-E25DB90C20C7}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F1A104-A250-48AA-9CE6-8CBDA49B28F4}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D653237-BD56-416C-A6DD-7D1A43CB1AA0}]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B1359CA-4D7C-42BE-8723-72BFC8D12A91}]
C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8F42435-022F-4A4F-A86E-EECD7FEE9CA3}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDC482DE-40A8-49C6-A67C-F3F13461AFFB}]
C:\WINDOWS\system32\mllmk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18B13BF-752F-4144-B8BE-D7693CDE6EB4}]
C:\WINDOWS\system32\pmkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C68C1C9E-A412-4CB0-85B6-3C4198F988C4}]
C:\WINDOWS\system32\ddcyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F65071CA-B9DD-49B1-BEB8-3B1F6C1AF427}]
C:\WINDOWS\system32\vtstr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 17:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 17:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 07:44]
"cfaixfgA"="C:\WINDOWS\cfaixfgA.exe" [1989-12-12 10:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"WINDOWS SYSTEM"=\servce.exe

C:\DOCUME~1\admin\STARTM~1\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 17:01:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr]
C:\WINDOWS\system32\vtsqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 MELCS;MailEnable List Connector;C:\Program Files\Mail Enable\Bin\MELSC.EXE
S3 MEMTAS;MailEnable Mail Transfer Agent;C:\Program Files\Mail Enable\Bin\MEMTA.EXE
S3 MEPOCS;MailEnable Postoffice Connector;C:\Program Files\Mail Enable\Bin\MEPOC.EXE
S3 MEPOPS;MailEnable POP Service;C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
S3 MESMTPCS;MailEnable SMTP Connector;C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS);C:\WINDOWS\system32\DRIVERS\se27nd5.sys
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE27obex.sys
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM);C:\WINDOWS\system32\DRIVERS\se27unic.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 17:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 09:05:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-26 9:06:13
C:\ComboFix-quarantined-files.txt ... 2007-09-26 09:06
C:\ComboFix2.txt ... 2007-09-14 11:03
.
--- E O F ---




Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:09 AM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\cfaixfgA.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 72.25.82.57 web
O1 - Hosts: 72.25.82.210 sql1
O1 - Hosts: 72.25.82.60 server8
O2 - BHO: (no name) - {042F29F1-6AF9-4496-B3C7-B20743075383} - C:\Program Files\MSN\tecohotef83122.dll (file missing)
O2 - BHO: (no name) - {043FB855-F882-43B4-8991-4DB5B5B7331F} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C1C4271-64CA-4CEA-87F0-A5E285B477DE} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {267C3EB4-7FB9-470C-86B6-DE934CA52288} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {29C1B65E-8189-4647-8D0F-5A1656E18FE5} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: 0 - {405E01FC-ABDA-4636-A8BF-ECE881971C2F} - C:\Program Files\Common Files\xunab.dll (file missing)
O2 - BHO: (no name) - {4109DA40-2459-446A-A47E-4AF85DCB9329} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {4D6F7B21-FBD2-4353-8050-25184CAED428} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {4FD5968C-1BFE-486A-99D7-E25DB90C20C7} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {69F1A104-A250-48AA-9CE6-8CBDA49B28F4} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {7D653237-BD56-416C-A6DD-7D1A43CB1AA0} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B1359CA-4D7C-42BE-8723-72BFC8D12A91} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {B8F42435-022F-4A4F-A86E-EECD7FEE9CA3} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {BDC482DE-40A8-49C6-A67C-F3F13461AFFB} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {C18B13BF-752F-4144-B8BE-D7693CDE6EB4} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {C68C1C9E-A412-4CB0-85B6-3C4198F988C4} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O2 - BHO: (no name) - {F65071CA-B9DD-49B1-BEB8-3B1F6C1AF427} - C:\WINDOWS\system32\vtstr.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [cfaixfgA] C:\WINDOWS\cfaixfgA.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] \servce.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149644006627
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_2/controls/YBUICtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://andale.webex.com/client/T23L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFAB265-AA09-4557-8803-A908D633ED8B}: NameServer = 66.51.205.100,206.13.29.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8327 bytes

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:42 AM

Posted 26 September 2007 - 10:15 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\amlxlgcu.dll
C:\WINDOWS\system32\hrdfigni.dll
C:\WINDOWS\system32\shpshplc.dll
C:\WINDOWS\system32\nlddfunc.dll
C:\WINDOWS\system32\chynenjx.dll
C:\WINDOWS\system32\xkjfqqts.dll
C:\WINDOWS\system32\gdfhjwul.dll
C:\WINDOWS\system32\orjqfgsx.dll
C:\WINDOWS\system32\enifqvkf.dll
C:\WINDOWS\system32\ekcjtdsg.dll
C:\WINDOWS\system32\hopogbum.dll
C:\WINDOWS\system32\hlybqvfe.dll
C:\WINDOWS\system32\nslndarv.dll
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\fxoecrmk.dll
C:\WINDOWS\system32\mwsvlfsg.dll
C:\WINDOWS\system32\irknwmic.dll
C:\WINDOWS\system32\pmvxpunm.dll
C:\WINDOWS\system32\qtppwgun.dll
C:\WINDOWS\system32\vmhxjpap.dll
C:\WINDOWS\system32\hhtkdssi.dll
C:\aaw7boot.cmd
C:\WINDOWS\system32\lyguxanb.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\tfhbypqh.dll
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak2
C:\delete.bat
C:\WINDOWS\system32\aouhpyxt.dll
C:\WINDOWS\cfaixfgA.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{042F29F1-6AF9-4496-B3C7-B20743075383}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{043FB855-F882-43B4-8991-4DB5B5B7331F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1C4271-64CA-4CEA-87F0-A5E285B477DE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{267C3EB4-7FB9-470C-86B6-DE934CA52288}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29C1B65E-8189-4647-8D0F-5A1656E18FE5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{405E01FC-ABDA-4636-A8BF-ECE881971C2F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4109DA40-2459-446A-A47E-4AF85DCB9329}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D6F7B21-FBD2-4353-8050-25184CAED428}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FD5968C-1BFE-486A-99D7-E25DB90C20C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69F1A104-A250-48AA-9CE6-8CBDA49B28F4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D653237-BD56-416C-A6DD-7D1A43CB1AA0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B1359CA-4D7C-42BE-8723-72BFC8D12A91}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8F42435-022F-4A4F-A86E-EECD7FEE9CA3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDC482DE-40A8-49C6-A67C-F3F13461AFFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C18B13BF-752F-4144-B8BE-D7693CDE6EB4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C68C1C9E-A412-4CB0-85B6-3C4198F988C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F65071CA-B9DD-49B1-BEB8-3B1F6C1AF427}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cfaixfgA"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"WINDOWS SYSTEM"=-

Save this as CFScript.txt
Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

In your next reply, please include a fresh Hijackthis log and Combofix log.


==============================

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
In your next reply, please include the Panda Activescan log too. Thanks
Microsoft MVP Consumer Security--2007-2010

#7 steve180

steve180
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 27 September 2007 - 12:33 PM

thanks, remarkable progress already been made! computer is running decent now, hopefully everything else fixes

combofix log:

ComboFix 07-09-21.2 - "admin" 2007-09-27 9:04:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.184 [GMT -7:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\amlxlgcu.dll
C:\WINDOWS\system32\hrdfigni.dll
C:\WINDOWS\system32\shpshplc.dll
C:\WINDOWS\system32\nlddfunc.dll
C:\WINDOWS\system32\chynenjx.dll
C:\WINDOWS\system32\xkjfqqts.dll
C:\WINDOWS\system32\gdfhjwul.dll
C:\WINDOWS\system32\orjqfgsx.dll
C:\WINDOWS\system32\enifqvkf.dll
C:\WINDOWS\system32\ekcjtdsg.dll
C:\WINDOWS\system32\hopogbum.dll
C:\WINDOWS\system32\hlybqvfe.dll
C:\WINDOWS\system32\nslndarv.dll
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\fxoecrmk.dll
C:\WINDOWS\system32\mwsvlfsg.dll
C:\WINDOWS\system32\irknwmic.dll
C:\WINDOWS\system32\pmvxpunm.dll
C:\WINDOWS\system32\qtppwgun.dll
C:\WINDOWS\system32\vmhxjpap.dll
C:\WINDOWS\system32\hhtkdssi.dll
C:\aaw7boot.cmd
C:\WINDOWS\system32\lyguxanb.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\tfhbypqh.dll
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak2
C:\delete.bat
C:\WINDOWS\system32\aouhpyxt.dll
C:\WINDOWS\cfaixfgA.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aaw7boot.cmd
C:\delete.bat
C:\WINDOWS\cfaixfgA.exe
C:\WINDOWS\system32\amlxlgcu.dll
C:\WINDOWS\system32\aouhpyxt.dll
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\chynenjx.dll
C:\WINDOWS\system32\ekcjtdsg.dll
C:\WINDOWS\system32\enifqvkf.dll
C:\WINDOWS\system32\fxoecrmk.dll
C:\WINDOWS\system32\gdfhjwul.dll
C:\WINDOWS\system32\hhtkdssi.dll
C:\WINDOWS\system32\hlybqvfe.dll
C:\WINDOWS\system32\hopogbum.dll
C:\WINDOWS\system32\hrdfigni.dll
C:\WINDOWS\system32\irknwmic.dll
C:\WINDOWS\system32\lyguxanb.dll
C:\WINDOWS\system32\mwsvlfsg.dll
C:\WINDOWS\system32\nlddfunc.dll
C:\WINDOWS\system32\nslndarv.dll
C:\WINDOWS\system32\orjqfgsx.dll
C:\WINDOWS\system32\pmvxpunm.dll
C:\WINDOWS\system32\qtppwgun.dll
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\shpshplc.dll
C:\WINDOWS\system32\tfhbypqh.dll
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vmhxjpap.dll
C:\WINDOWS\system32\xkjfqqts.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-17 16:23 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\ICQ
2007-09-17 16:22 <DIR> d-------- C:\Program Files\ICQ6
2007-09-17 16:21 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\InstallShield
2007-09-14 10:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 09:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 15:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 09:15 <DIR> d-------- C:\Program Files\RogueRemover FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 09:11 902944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-27 09:11 43861024 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-27 09:11 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Skype
2007-09-27 09:11 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\OpenOffice.org2
2007-09-27 09:10 88760 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-27 09:10 592508 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-26 16:40 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-09-17 16:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 09:34 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Sunbelt Software
2007-07-18 12:12 246 --a------ C:\Program Files\Common Files\xunab
2006-07-11 10:09 28672 --a------ C:\DOCUME~1\admin\atwbxdet.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-26_ 90551.89 )))))))))))))))))))))))))))))))))))))))))
.
----atw 16,384 2007-09-27 16:10:56 C:\WINDOWS\TEMP\Perflib_Perfdata_3f0.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 17:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 17:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 07:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00]

C:\DOCUME~1\admin\STARTM~1\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 17:01:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 MELCS;MailEnable List Connector;C:\Program Files\Mail Enable\Bin\MELSC.EXE
S3 MEMTAS;MailEnable Mail Transfer Agent;C:\Program Files\Mail Enable\Bin\MEMTA.EXE
S3 MEPOCS;MailEnable Postoffice Connector;C:\Program Files\Mail Enable\Bin\MEPOC.EXE
S3 MEPOPS;MailEnable POP Service;C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
S3 MESMTPCS;MailEnable SMTP Connector;C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
S3 SE27mgmt;Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
S3 se27nd5;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS);C:\WINDOWS\system32\DRIVERS\se27nd5.sys
S3 SE27obex;Sony Ericsson Device 039 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE27obex.sys
S3 se27unic;Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM);C:\WINDOWS\system32\DRIVERS\se27unic.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 17:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 09:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 9:13:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 09:13
C:\ComboFix2.txt ... 2007-09-26 09:06
C:\ComboFix3.txt ... 2007-09-14 11:03
.
--- E O F ---



Hijack Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:14 AM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149644006627
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_2/controls/YBUICtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://andale.webex.com/client/T23L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFAB265-AA09-4557-8803-A908D633ED8B}: NameServer = 66.51.205.100,206.13.29.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6260 bytes



Panda Log:



Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.go.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.target.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[hc2.humanclick.com/hc/77576984]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[winantivirus.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\dugjnlvx.default\cookies.txt[www.burstbeacon.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6de99109-63f5dbdf.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6de99109-63f5dbdf.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6de99109-63f5dbdf.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6de99109-63f5dbdf.zip[Beyond.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-459622bd-1adeeeb4.zip[SuperMSClassLoader.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\admin\Cookies\admin@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\admin\Cookies\admin@2o7[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\admin\Cookies\admin@ads.pointroll[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\admin\Cookies\admin@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\admin\Cookies\admin@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\admin\Cookies\admin@atdmt[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\admin\Cookies\admin@atwola[4].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\admin\Cookies\admin@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\admin\Cookies\admin@bs.serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\admin\Cookies\admin@bs.serving-sys[3].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\admin\Cookies\admin@citi.bridgetrack[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@com[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\admin\Cookies\admin@com[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\admin\Cookies\admin@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\admin\Cookies\admin@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\admin\Cookies\admin@drivecleaner[4].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\admin\Cookies\admin@drivecleaner[5].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\admin\Cookies\admin@entrepreneur[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\admin\Cookies\admin@entrepreneur[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\admin\Cookies\admin@errorsafe[2].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\admin\Cookies\admin@findwhat[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[4].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\admin\Cookies\admin@go[5].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\admin\Cookies\admin@hc2.humanclick[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\admin\Cookies\admin@hc2.humanclick[3].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\admin\Cookies\admin@landing.domainsponsor[1].txt
Spyware:Cookie/Omniture Not disinfected C:\Documents and Settings\admin\Cookies\admin@omniture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\admin\Cookies\admin@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\admin\Cookies\admin@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\admin\Cookies\admin@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\admin\Cookies\admin@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\admin\Cookies\admin@realmedia[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\admin\Cookies\admin@realmedia[3].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\admin\Cookies\admin@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\admin\Cookies\admin@searchportal.information[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\admin\Cookies\admin@serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\admin\Cookies\admin@serving-sys[3].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\admin\Cookies\admin@trafficmp[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\admin\Cookies\admin@trafficmp[3].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\admin\Cookies\admin@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\admin\Cookies\admin@tribalfusion[3].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\admin\Cookies\admin@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\admin\Cookies\admin@winantivirus[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\admin\Cookies\admin@winantivirus[3].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\admin\Cookies\admin@winantivirus[4].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\admin\Cookies\admin@www.burstbeacon[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\admin\Cookies\admin@www.burstbeacon[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\admin\Cookies\admin@www.systemdoctor[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\admin\Cookies\admin@www5.addfreestats[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\stevewong0228@hotmail.com\Sharing Folders\darrickim@hotmail.com\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/Psexec.B Not disinfected C:\kill\psexec.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\kill\pskill.exe
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\almispak.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\aouhpyxt.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\aqaphtoe.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bdgbolaa.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\behurxje.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\binkhdbh.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bischmfk.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\blnglrpq.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bndwuhhf.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cdwhiebs.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\crheeqfh.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dhbsdvcv.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\emxromax.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\eoiodvlq.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\eygdgaet.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ffutgukg.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fliqkshn.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\flteepui.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ggtoheaj.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\hgycykln.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\idjjlkyf.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\iteermoc.exe.vir
Adware:Adware/WebSearch Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\iuuvoqws.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ivtwsgsr.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ixeqfyok.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\jbkqqxtn.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\knjkqdch.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\koaxqelt.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\krdypujm.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lciqjlom.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lpamnakk.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\mbfowmhg.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\nariddrp.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\oroeoblc.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\qceidvhi.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\qnlxatof.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\rgktdskd.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\rkniiubm.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\roidmdos.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\scldncpi.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\swkvrxwf.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\sxrtxccw.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\tlvfckgj.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\uawtobje.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\uyuehjlu.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\vtecfemi.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\wwcpdyjo.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\xucyiwiv.exe.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\yiuhvhqw.exe.vir
Virus:Trj/Downloader.PNC Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\Z3\w0716.exe.vir
Potentially unwanted tool:Application/Psexec.B Not disinfected C:\temp\kill\psexec.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\temp\kill\pskill.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\pmnljgg.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\shjaixfh.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.msn
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:Trj/Downloader.OZB Disinfected D:\???

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:42 AM

Posted 27 September 2007 - 02:52 PM

How is everything running???
Microsoft MVP Consumer Security--2007-2010

#9 steve180

steve180
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 27 September 2007 - 06:36 PM

so far excellently. THanks so much ! :thumbsup:

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:11:42 AM

Posted 27 September 2007 - 10:29 PM

Your Welcome!!!! :thumbsup:

Lets remove the tools, i had you download. Please delete the following files/folders:

C:\QooBox
C:\Combofix
C:\combofix.txt
C:\combofix-quarantine-files.txt


On your Desktop
ComboFix.exe


Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • If you don't have a Firewall installed, please choose from the following:
  • If you don't have a Anti-Virus installed, please download the following free program:
  • Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown
    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  • Anti-Spyware Programs I Recommend:
  • For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users