Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have The Lzx32.sys Virus


  • Please log in to reply
26 replies to this topic

#1 fried okra

fried okra

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 17 September 2007 - 02:48 PM

My Embarq Virus Protection and Blacklight both detect it running. Embarq fails to do anything to it. Blacklight supposedly renamed it , but it re-appeared after re-boot.

FYI - The only other programs I use for detection is the Microsoft Malicious Software removal tool,which currently finds nothing ,and XoftSpySE v4.33 which continually finds three Virus.Win32.Delf.ak
It quarintines them, but they continue to return.
I read the intro to posting a Hijackthis log , but didn't download or run any of the programs recomended there because I didn't know if they would conflict with my current protection programs.

Here's my Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:29 PM, on 9/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsrw.exe
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
C:\PROGRA~1\EMBARQ~1\ANTI-S~1\fsaw.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.dogpile.com
O2 - BHO: (no name) - {98F75795-23F3-4A1C-AB07-B11CC171CF57} - c:\windows\system32\gbtturem.dll
O2 - BHO: (no name) - {ABF9012A-A781-414C-8A31-EC60DE747717} - c:\windows\system32\zpnebtjv.dll
O2 - BHO: (no name) - {DE0F3C39-7F4D-4CE8-BF34-DED070B09A58} - c:\windows\system32\ijdaijd.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Protection Tools\smmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Protection Tools\bpmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Configure 32] msgconfigre.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C8E869C0-07C9-1033-1217-020409200001}] "C:\Program Files\Common Files\{C8E869C0-07C9-1033-1217-020409200001}\Update.exe" te-110-12-0000341 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Configure 32] msgconfigre.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C8E869C0-07C9-1033-1217-020409200001}] "C:\Program Files\Common Files\{C8E869C0-07C9-1033-1217-020409200001}\Update.exe" te-110-12-0000341 (User 'Default user')
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\ijdaijd.dll
O22 - SharedTaskScheduler: (no name) - {951a98d0-dad6-4a77-8280-a494279a884b} - (no file)
O22 - SharedTaskScheduler: antiforeigner - {ede8bed5-92cf-4482-8f51-a01cd9b3ea37} - C:\WINDOWS\System32\egzcqg.dll (file missing)
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\Jenny\ie_updater.exe (file missing)
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 7077 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 September 2007 - 04:51 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum fried okra :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

*NOTE*
If you have previously downloaded ComboFix,please delete that version and download it again from below.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 18 September 2007 - 11:17 AM

Thanks for your response Richie UK.
Should I delete the combofix program when we're done and if so how?
Here's the combofix log-



ComboFix 07-09-18.4 - "brent" 2007-09-18 11:50:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.102 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{38E86~1
C:\Program Files\Common Files\{38E86~2
C:\Program Files\Common Files\{C8E86~1
C:\Program Files\Common Files\{C8E86~2
C:\Program Files\Microsoft Security Adviser
C:\Program Files\newdotnet
C:\Program Files\newdotnet\newdotnet6_38.dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall6_38.exe
C:\Program Files\protection tools
C:\Program Files\safety bar
C:\Program Files\safety bar\Uninstall.bat
c:\RECYCLER\Q678341.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\components
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\zkcdjxxw.sys
C:\WINDOWS\system32\ijdaijd.dll
C:\WINDOWS\system32\ijdaijd.dll.bak

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_FYGAOKQX
-------\LEGACY_GYLXQLXD
-------\LEGACY_MICROSOFT_IE_UPDATER_2
-------\LEGACY_NTMLSVC
-------\LEGACY_POOF
-------\Client IP-IPX
-------\fygaokqx
-------\gylxqlxd
-------\Microsoft IE Updater_2
-------\nm


((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-18 11:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-04 18:12 68,608 --a------ C:\WINDOWS\system32\zpnebtjv.dll
2007-09-04 18:12 101,703 --a------ C:\WINDOWS\system32\gbtturem.dll
2007-09-04 17:16 <DIR> d-------- C:\Program Files\DivX
2007-08-31 21:19 <DIR> d-------- C:\Program Files\GENIUS TABLET
2007-08-31 21:18 315,392 --a------ C:\WINDOWS\SETUPX32.EXE
2007-08-31 21:17 5,120 --a------ C:\WINDOWS\system32\shell.dll
2007-08-31 19:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 19:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 19:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 19:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-31 17:41 48,640 --a------ C:\WINDOWS\system32\jyhxyrxv.dll
2007-08-31 17:40 756,224 --a------ C:\WINDOWS\system32\jcyrvhqh.dll
2007-08-31 17:40 46,592 --a------ C:\WINDOWS\system32\jjplfgmg.dll
2007-08-31 17:40 103,936 --a------ C:\WINDOWS\system32\dpwzoznd.dll
2007-08-30 14:20 <DIR> d-------- C:\!KillBox
2007-08-29 13:50 <DIR> d-------- C:\Program Files\RegistryFix082807
2007-08-27 18:56 <DIR> d-------- C:\Program Files\IMVU
2007-08-25 17:10 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-08-25 05:38 10,240 --a------ C:\sysuvcv.exe
2007-08-24 17:05 123,904 --a------ C:\WINDOWS\system32\kqdiphux.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 03:28 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\gtk-2.0
2007-09-18 02:39 --------- d-------- C:\Program Files\Trillian
2007-09-18 02:10 --------- d-------- C:\Program Files\mIRC
2007-09-11 08:47 --------- d-------- C:\Program Files\XoftSpySE
2007-09-02 13:25 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-30 23:58 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\IMVU
2007-08-22 14:58 44032 --a------ C:\WINDOWS\system32\jjplfgmg.gggdll
2007-08-07 17:18 7456 --a------ C:\gerta.exe
2007-07-27 16:53 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Corel
2007-07-26 16:13 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\SecondLife
2007-07-26 16:05 --------- d-------- C:\Program Files\SecondLife
2007-07-26 15:35 --------- d-------- C:\Program Files\Diablo II
2007-07-22 17:23 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-22 17:23 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-22 17:23 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-22 13:10 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Yahoo!
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-20 10:55 --------- d-------- C:\Program Files\Yahoo!
2007-02-11 06:24 26344024 --a------ C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 04:48 1025312 --a------ C:\Program Files\AOEPATCH.exe
2004-10-13 13:17 40662 --a------ C:\Program Files\readermain.htm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABF9012A-A781-414C-8A31-EC60DE747717}]
2007-09-14 18:40 68608 --a------ c:\windows\system32\zpnebtjv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 16:41]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.exe" [2005-10-18 04:29]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 05:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 03:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-12-08 15:51]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Configure 32"=msgconfigre.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EMBARQ Online Security.lnk - C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe [2007-03-24 19:36:23]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 19:10:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ede8bed5-92cf-4482-8f51-a01cd9b3ea37}"= C:\WINDOWS\System32\egzcqg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csnkr.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\System32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 BackWeb Plug-in - 7211241;EMBARQ Online Security;C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys
S3 Tablet2k;Serial Tablet Port Driver;"C:\WINDOWS\System32\Drivers\Tablet2k.sys"
S3 TClass2k;Tablet Class Driver;C:\WINDOWS\System32\DRIVERS\TClass2k.sys
S3 UCTblHid;HID Tablet Port Driver;C:\WINDOWS\System32\DRIVERS\UCTblHid.sys

*Newly Created Service* - GYLXQLXD
.
Contents of the 'Scheduled Tasks' folder
"2007-09-18 00:02:55 C:\WINDOWS\Tasks\Scheduled scanning task.job"
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2007-09-18 15:32:32 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-15 07:22:55 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 11:58:37
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32:lzx32.sys 55004 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-18 12:05:38 - machine was rebooted



here's the HJ this-



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:33 PM, on 9/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsrw.exe
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\EMBARQ~1\ANTI-S~1\fsaw.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: (no name) - {ABF9012A-A781-414C-8A31-EC60DE747717} - c:\windows\system32\zpnebtjv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Configure 32] msgconfigre.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Configure 32] msgconfigre.exe (User 'Default user')
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O22 - SharedTaskScheduler: (no name) - {951a98d0-dad6-4a77-8280-a494279a884b} - (no file)
O22 - SharedTaskScheduler: antiforeigner - {ede8bed5-92cf-4482-8f51-a01cd9b3ea37} - C:\WINDOWS\System32\egzcqg.dll (file missing)
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 5945 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 September 2007 - 03:35 PM

Download rustbfix.exe and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer.
The reboot will probably take quite a while,possibly two reboots will be needed,this should happen automatically..
After the reboot two logfiles will/should open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the contents of those logfiles into your next reply.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\sysuvcv.exe
C:\gerta.exe
C:\WINDOWS\system32\zpnebtjv.dll
C:\WINDOWS\system32\gbtturem.dll
C:\WINDOWS\system32\jyhxyrxv.dll
C:\WINDOWS\system32\jcyrvhqh.dll
C:\WINDOWS\system32\jjplfgmg.dll
C:\WINDOWS\system32\dpwzoznd.dll
C:\WINDOWS\system32\kqdiphux.dll

Folder::
C:\WINDOWS\system32\jjplfgmg.gggdll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABF9012A-A781-414C-8A31-EC60DE747717}]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Configure 32"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ede8bed5-92cf-4482-8f51-a01cd9b3ea37}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 19 September 2007 - 12:01 PM

here's the rustbfix log-

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Wed 09/19/2007 12:31:49.65

No Rustock.b-rootkits found

******************************* End of Logfile ********************************



here's the combofix log-

ComboFix 07-09-18.4 - "brent" 2007-09-19 12:38:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.76 [GMT -4:00]
* Created a new restore point

FILE::
C:\sysuvcv.exe
C:\gerta.exe
C:\WINDOWS\system32\zpnebtjv.dll
C:\WINDOWS\system32\gbtturem.dll
C:\WINDOWS\system32\jyhxyrxv.dll
C:\WINDOWS\system32\jcyrvhqh.dll
C:\WINDOWS\system32\jjplfgmg.dll
C:\WINDOWS\system32\dpwzoznd.dll
C:\WINDOWS\system32\kqdiphux.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\gerta.exe
C:\sysuvcv.exe
C:\WINDOWS\system32\dpwzoznd.dll
C:\WINDOWS\system32\gbtturem.dll
C:\WINDOWS\system32\jcyrvhqh.dll
C:\WINDOWS\system32\jjplfgmg.dll
C:\WINDOWS\system32\jjplfgmg.gggdll\
C:\WINDOWS\system32\jyhxyrxv.dll
C:\WINDOWS\system32\kqdiphux.dll
C:\WINDOWS\system32\zpnebtjv.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 12:31 <DIR> d-------- C:\Rustbfix
2007-09-18 14:44 83,968 --a------ C:\WINDOWS\system32\adsldpcv.dll
2007-09-18 14:43 88,064 --a------ C:\WINDOWS\system32\comuidt.dll
2007-09-18 14:42 57,856 --a------ C:\WINDOWS\system32\cscdll(3.dll
2007-09-18 11:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-04 17:16 <DIR> d-------- C:\Program Files\DivX
2007-08-31 21:19 <DIR> d-------- C:\Program Files\GENIUS TABLET
2007-08-31 21:18 315,392 --a------ C:\WINDOWS\SETUPX32.EXE
2007-08-31 21:17 5,120 --a------ C:\WINDOWS\system32\shell.dll
2007-08-31 19:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 19:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 19:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 19:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-30 14:20 <DIR> d-------- C:\!KillBox
2007-08-29 13:50 <DIR> d-------- C:\Program Files\RegistryFix082807
2007-08-27 18:56 <DIR> d-------- C:\Program Files\IMVU
2007-08-25 17:10 147,729 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 00:46 --------- d-------- C:\Program Files\mIRC
2007-09-18 23:39 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\gtk-2.0
2007-09-18 02:39 --------- d-------- C:\Program Files\Trillian
2007-09-11 08:47 --------- d-------- C:\Program Files\XoftSpySE
2007-09-02 13:25 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-30 23:58 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\IMVU
2007-08-22 14:58 44032 --a------ C:\WINDOWS\system32\jjplfgmg.gggdll
2007-07-27 16:53 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Corel
2007-07-26 16:13 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\SecondLife
2007-07-26 16:05 --------- d-------- C:\Program Files\SecondLife
2007-07-26 15:35 --------- d-------- C:\Program Files\Diablo II
2007-07-22 17:23 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-22 17:23 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-22 17:23 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-22 13:10 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Yahoo!
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-20 10:55 --------- d-------- C:\Program Files\Yahoo!
2007-02-11 06:24 26344024 --a------ C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 04:48 1025312 --a------ C:\Program Files\AOEPATCH.exe
2004-10-13 13:17 40662 --a------ C:\Program Files\readermain.htm
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_120419.25 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2007-09-19 16:36:35 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-19 15:40:35 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-19 15:40:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-19 15:40:35 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 253,952 2007-09-18 15:49:28 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9239D120-A43A-46F7-9647-AF5D46B56035}]
2004-03-05 22:16 88064 --a------ C:\WINDOWS\System32\comuidt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9FFB559-458B-496E-9052-EF4E1BCB991B}]
2002-09-03 12:27 83968 --a------ c:\windows\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 16:41]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.exe" [2005-10-18 04:29]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 05:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 03:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-12-08 15:51]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EMBARQ Online Security.lnk - C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe [2007-03-24 19:36:23]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 19:10:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qhccholv]
adsldpcv.dll 2002-09-03 12:27 83968 C:\WINDOWS\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\System32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 BackWeb Plug-in - 7211241;EMBARQ Online Security;C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys
R2 fygaokqx;Serenum Filter Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys
S3 Tablet2k;Serial Tablet Port Driver;"C:\WINDOWS\System32\Drivers\Tablet2k.sys"
S3 TClass2k;Tablet Class Driver;C:\WINDOWS\System32\DRIVERS\TClass2k.sys
S3 UCTblHid;HID Tablet Port Driver;C:\WINDOWS\System32\DRIVERS\UCTblHid.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fygaokqx

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 00:02:17 C:\WINDOWS\Tasks\Scheduled scanning task.job"
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2007-09-19 16:47:36 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-15 07:22:55 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 12:45:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 12:51:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 12:51
C:\ComboFix2.txt ... 2007-09-18 12:05
.
--- E O F ---









here's the HJthis log-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:45 PM, on 9/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsrw.exe
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\EMBARQ~1\ANTI-S~1\fsaw.exe
C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\drwtsn32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: (no name) - {9239D120-A43A-46F7-9647-AF5D46B56035} - C:\WINDOWS\System32\comuidt.dll
O2 - BHO: (no name) - {D9FFB559-458B-496E-9052-EF4E1BCB991B} - c:\windows\system32\adsldpcv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\adsldpcv.dll
O22 - SharedTaskScheduler: (no name) - {951a98d0-dad6-4a77-8280-a494279a884b} - (no file)
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 5836 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 19 September 2007 - 04:09 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\adsldpcv.dll
C:\WINDOWS\System32\comuidt.dll
C:\WINDOWS\system32\jjplfgmg.gggdll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {9239D120-A43A-46F7-9647-AF5D46B56035} - C:\WINDOWS\System32\comuidt.dll
O2 - BHO: (no name) - {D9FFB559-458B-496E-9052-EF4E1BCB991B} - c:\windows\system32\adsldpcv.dll
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\adsldpcv.dll
O22 - SharedTaskScheduler: (no name) - {951a98d0-dad6-4a77-8280-a494279a884b} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 20 September 2007 - 01:18 PM

I've run into a problem. I 've performed the first part of your instructions, with the OTMover, but when I try to install the 'SuperAntiSpyware Home Edition Free Version' I receive this error message "The Windows Installer Service could not be accessed.This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed.Contact your support personnel for assistance. " . I'm not running in safe mode so I'm assuming the WIndows Installer is not installed correctly. What should I do??
(FYI -I'm running Windows XP Service Pak 1, because every time I've tried to install Service Pak 2 it caused my computer to malfunction and/or it would not install correctly, so I left it as it is with service pak 1. Don't know if this is the problem or not with the Windows Installer)
Arguing on the internet is like trying to blow out a light bulb!!!

#8 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 20 September 2007 - 04:27 PM

Ok , I sorta fixed the WIndows Installer problem. Downloaded a newer version, but it still wouldn't work.So I went to the computer managemnet,opened up services and started the service manually, then I was able to download and install the 'SuperAntiSpyware Home Edition Free Version' .

I didn't know if I needed to run the OTMoveIt software again, so I proceeded to the HJThis and Anti-Spyware instructions. Here are the results, and yes, my computer seems to be running better now.


OTM log-



C:\WINDOWS\system32\adsldpcv.dll NOT unregistered.
C:\WINDOWS\system32\adsldpcv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\comuidt.dll
C:\WINDOWS\System32\comuidt.dll NOT unregistered.
C:\WINDOWS\System32\comuidt.dll moved successfully.
C:\WINDOWS\system32\jjplfgmg.gggdll moved successfully.

Created on 09/20/2007 14:00:17

-------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/20/2007 at 04:54 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:22:32

Memory items scanned : 154
Memory threats detected : 0
Registry items scanned : 4310
Registry threats detected : 29
File items scanned : 60688
File threats detected : 28

Adware.CoolWebSearch
HKLM\Software\Classes\CLSID\{211C1BE1-3190-436D-8EDD-D93EA34D0D87}
HKCR\CLSID\{211C1BE1-3190-436D-8EDD-D93EA34D0D87}
HKCR\CLSID\{211C1BE1-3190-436D-8EDD-D93EA34D0D87}\InprocServer32
HKCR\CLSID\{211C1BE1-3190-436D-8EDD-D93EA34D0D87}\InprocServer32#pvt_AdvertisingData
C:\WINDOWS\SYSTEM32\WLDR.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6AB04E20-C7FB-1976-45F0-4507AA485E64}
HKCR\CLSID\{6AB04E20-C7FB-1976-45F0-4507AA485E64}
HKCR\CLSID\{6AB04E20-C7FB-1976-45F0-4507AA485E64}\Data

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{ede8bed5-92cf-4482-8f51-a01cd9b3ea37}
HKCR\CLSID\{EDE8BED5-92CF-4482-8F51-A01CD9B3EA37}
HKCR\CLSID\{EDE8BED5-92CF-4482-8F51-A01CD9B3EA37}\InProcServer32
HKCR\CLSID\{EDE8BED5-92CF-4482-8F51-A01CD9B3EA37}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\EGZCQG.DLL

Parasite.CoolWebSearch Variant
HKLM\Software\Classes\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}
HKCR\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}
HKCR\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}\Data

Trojan.Downloader-IBM/Shell
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#DeviceDesc

Trojan.Media-Codec/V2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Protection Volume
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Protection Volume#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Protection Volume#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Messenger
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Messenger#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Messenger#UninstallString

Adware.Tracking Cookie
C:\Documents and Settings\brendan\cookies\brent@ad.yieldmanager[2].txt
C:\Documents and Settings\brendan\cookies\brent@adopt.specificclick[2].txt
C:\Documents and Settings\brendan\cookies\brent@adrevolver[2].txt
C:\Documents and Settings\brendan\cookies\brent@adserver[2].txt
C:\Documents and Settings\brendan\cookies\brent@advertising[1].txt
C:\Documents and Settings\brendan\cookies\brent@atdmt[2].txt
C:\Documents and Settings\brendan\cookies\brent@burstnet[1].txt
C:\Documents and Settings\brendan\cookies\brent@doubleclick[1].txt
C:\Documents and Settings\brendan\cookies\brent@edge.ru4[1].txt
C:\Documents and Settings\brendan\cookies\brent@fastclick[1].txt
C:\Documents and Settings\brendan\cookies\brent@media.adrevolver[2].txt
C:\Documents and Settings\brendan\cookies\brent@questionmarket[2].txt
C:\Documents and Settings\brendan\cookies\brent@realmedia[1].txt
C:\Documents and Settings\brendan\cookies\brent@revsci[1].txt
C:\Documents and Settings\brendan\cookies\brent@tribalfusion[1].txt
C:\Documents and Settings\brendan\cookies\brent@zedo[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@ads.adbrite[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@anad.tacoda[2].txt
C:\Documents and Settings\Jenny\Cookies\jenny@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Jenny\Cookies\jenny@stats[1].txt

Adware.Accoona
C:\PROGRAM FILES\FILESUBMIT\EGYPTIAN CHAR\ATOOLBAR400005.EXE

Trojan.NewDotNet-Installer
C:\PROGRAM FILES\THEMEXP\NNWDAB638.EXE

Adware.WhenU
C:\PROGRAM FILES\THEMEXP\VVSNINST.EXE

Trojan.NewDotNet
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\NEWDOTNET6_38.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\UNINSTALL6_38.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL6_38.EXE.VIR

---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:41 PM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D9FFB559-458B-496E-9052-EF4E1BCB991B} - c:\windows\system32\adsldpcv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\adsldpcv.dll
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 4107 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 20 September 2007 - 05:32 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
c:\windows\system32\adsldpcv.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.


Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 20 September 2007 - 06:37 PM

ComboFix 07-09-18.4 - "brent" 2007-09-20 19:21:42.3 - NTFSx86
.

((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 15:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-20 15:21 <DIR> d-------- C:\DOCUME~1\brent\APPLIC~1\SUPERAntiSpyware.com
2007-09-20 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-20 14:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 12:31 <DIR> d-------- C:\Rustbfix
2007-09-18 14:44 83,968 --------- C:\WINDOWS\system32\adsldpcv.dll
2007-09-18 14:42 57,856 --a------ C:\WINDOWS\system32\cscdll(3.dll
2007-09-18 11:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-04 17:16 <DIR> d-------- C:\Program Files\DivX
2007-08-31 21:19 <DIR> d-------- C:\Program Files\GENIUS TABLET
2007-08-31 21:18 315,392 --a------ C:\WINDOWS\SETUPX32.EXE
2007-08-31 21:17 5,120 --a------ C:\WINDOWS\system32\shell.dll
2007-08-31 19:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 19:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 19:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 19:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-30 14:20 <DIR> d-------- C:\!KillBox
2007-08-29 13:50 <DIR> d-------- C:\Program Files\RegistryFix082807
2007-08-27 18:56 <DIR> d-------- C:\Program Files\IMVU
2007-08-25 17:10 147,729 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 03:29 --------- d-------- C:\Program Files\Trillian
2007-09-20 01:40 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\gtk-2.0
2007-09-20 00:26 --------- d-------- C:\Program Files\mIRC
2007-09-11 08:47 --------- d-------- C:\Program Files\XoftSpySE
2007-09-02 13:25 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-30 23:58 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\IMVU
2007-07-27 16:53 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Corel
2007-07-26 16:13 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\SecondLife
2007-07-26 16:05 --------- d-------- C:\Program Files\SecondLife
2007-07-26 15:35 --------- d-------- C:\Program Files\Diablo II
2007-07-22 17:23 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-22 17:23 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-22 17:23 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-22 13:10 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Yahoo!
2007-07-20 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-20 10:55 --------- d-------- C:\Program Files\Yahoo!
2007-02-11 06:24 26344024 --a------ C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 04:48 1025312 --a------ C:\Program Files\AOEPATCH.exe
2004-10-13 13:17 40662 --a------ C:\Program Files\readermain.htm
.

((((((((((((((((((((((((((((( snapshot_2007-09-18_120419.25 )))))))))))))))))))))))))))))))))))))))))
.
-c----w 2,086,400 2002-09-03 16:44:53 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msi.dll
-c----w 64,512 2002-09-03 16:44:56 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe
-c----w 305,664 2002-09-03 16:44:57 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msihnd.dll
-c----w 847,872 2002-09-03 16:44:59 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msimsg.dll
-c----w 39,936 2002-09-03 16:45:05 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msisip.dll
-c----w 209,632 2005-05-04 18:45:26 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
-c----w 371,936 2005-05-04 18:45:28 C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\updspapi.dll
----a-r 29,696 2007-09-20 19:21:43 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 18,944 2007-09-20 19:21:43 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 65,024 2007-09-20 19:21:43 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
----a-w 2,890,240 2005-05-04 18:45:32 C:\WINDOWS\system32\msi.dll
----a-w 78,848 2005-05-04 18:45:36 C:\WINDOWS\system32\msiexec.exe
----a-w 271,360 2005-05-04 18:45:36 C:\WINDOWS\system32\msihnd.dll
----a-w 884,736 2005-05-04 18:45:36 C:\WINDOWS\system32\msimsg.dll
----a-w 15,360 2005-05-04 18:45:36 C:\WINDOWS\system32\msisip.dll
----a-w 253,952 2007-09-20 23:21:35 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-20 10:26:29 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-20 10:26:29 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-20 10:26:29 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 2,890,240 2005-05-04 18:45:32 C:\WINDOWS\system32\dllcache\msi.dll
-c--a-w 78,848 2005-05-04 18:45:36 C:\WINDOWS\system32\dllcache\msiexec.exe
-c--a-w 271,360 2005-05-04 18:45:36 C:\WINDOWS\system32\dllcache\msihnd.dll
-c--a-w 884,736 2005-05-04 18:45:36 C:\WINDOWS\system32\dllcache\msimsg.dll
-c--a-w 15,360 2005-05-04 18:45:36 C:\WINDOWS\system32\dllcache\msisip.dll
.
----a-w 2,086,400 2002-09-03 16:44:53 C:\WINDOWS\system32\msi.dll
----a-w 64,512 2002-09-03 16:44:56 C:\WINDOWS\system32\msiexec.exe
----a-w 305,664 2002-09-03 16:44:57 C:\WINDOWS\system32\msihnd.dll
----a-w 847,872 2002-09-03 16:44:59 C:\WINDOWS\system32\msimsg.dll
----a-w 39,936 2002-09-03 16:45:05 C:\WINDOWS\system32\msisip.dll
----a-w 253,952 2007-09-18 15:49:28 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 32,768 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-09-18 15:30:05 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 2,086,400 2002-09-03 16:44:53 C:\WINDOWS\system32\dllcache\msi.dll
-c--a-w 64,512 2002-09-03 16:44:56 C:\WINDOWS\system32\dllcache\msiexec.exe
-c--a-w 305,664 2002-09-03 16:44:57 C:\WINDOWS\system32\dllcache\msihnd.dll
-c--a-w 847,872 2002-09-03 16:44:59 C:\WINDOWS\system32\dllcache\msimsg.dll
-c--a-w 39,936 2002-09-03 16:45:05 C:\WINDOWS\system32\dllcache\msisip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9FFB559-458B-496E-9052-EF4E1BCB991B}]
2007-09-20 14:00 83968 --------- c:\windows\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 16:41]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.exe" [2005-10-18 04:29]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 05:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 03:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-12-08 15:51]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EMBARQ Online Security.lnk - C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe [2007-03-24 19:36:23]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 19:10:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qhccholv]
adsldpcv.dll 2007-09-20 14:00 83968 C:\WINDOWS\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fygaokqx

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 00:02:14 C:\WINDOWS\Tasks\Scheduled scanning task.job"
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2007-09-20 21:11:36 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-15 07:22:55 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 19:25:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-20 19:30:39
C:\ComboFix-quarantined-files.txt ... 2007-09-20 19:30
C:\ComboFix2.txt ... 2007-09-19 12:51
C:\ComboFix3.txt ... 2007-09-18 12:05
.
--- E O F ---
------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:13 PM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsrw.exe
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
C:\PROGRA~1\EMBARQ~1\ANTI-S~1\fsaw.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: (no name) - {D9FFB559-458B-496E-9052-EF4E1BCB991B} - c:\windows\system32\adsldpcv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-21-484763869-261903793-1801674531-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-261903793-1801674531-1004\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\adsldpcv.dll
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 6213 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 21 September 2007 - 06:14 AM

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the Activescan report into your next reply.
Posted Image
Posted Image

#12 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 22 September 2007 - 10:23 PM

F-Secure scan report-



Scanning Report
Saturday, September 22, 2007 13:26:46 - 20:36:08
Computer name: HOME-H9I3MI4FZ6
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 33 malware found
Text/Accoona.A (virus)
C:\INSTALL1.LOG (Submitted)
W32/BHO.QG (virus)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\adsldpcv.dll (Submitted)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\jjplfgmg.gggdll (Submitted)
C:\WINDOWS\system32\adsldpcv.dll (Submitted)
C:\WINDOWS\system32\cscdll(3.dll (Submitted)
C:\WINDOWS\system32\gbtturem.1 (Submitted)
C:\WINDOWS\system32\kqdiphux.dll.bak
C:\qoobox\Quarantine\catchme2007-09-18_115811.10.zip\ijdaijd.dll
C:\qoobox\Quarantine\catchme2007-09-18_115811.10.zip\ijdaijd.dll.bak
C:\qoobox\Quarantine\C\WINDOWS\system32\dpwzoznd.dll.vir (Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\gbtturem.dll.vir (Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\jcyrvhqh.dll.vir (Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\jjplfgmg.dll.vir (Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\kqdiphux.dll.vir (Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\zpnebtjv.dll.vir (Submitted)
C:\Program Files\HijackThis\backups\backup-20070920-152926-494.dll (Submitted)
C:\Documents and Settings\brent\Desktop\DESKSECURITY\from system 32\kqdiphux.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070914-072734-160.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070914-072734-558.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070914-124705-327.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070914-124705-678.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070914-124705-896.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070916-030403-194.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070916-030403-409.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070916-030403-850.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070917-120228-807.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070917-120229-788.dll (Submitted)
C:\Documents and Settings\All Users\Documents\backups\backup-20070917-120229-846.dll (Submitted)
C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070819-194555-573.dll (Submitted)
C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070909-055023-115.dll (Submitted)
C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070909-055023-143.dll (Submitted)
C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070909-055023-876.dll (Submitted)
C:\!KillBox\adsldpcv.dll (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 199224
System: 4605
Not scanned: 70
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 33
Submitted: 30
Files not scanned:
x‚?GEFILE.SYS
C:\WINDOWS\UNWASH5.EXE
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\INSTLSP.EXE
C:\WINDOWS\SYSTEM32\PERFC009.DAT
C:\WINDOWS\SYSTEM32\PERFH009.DAT
C:\WINDOWS\SYSTEM32\SPORDER.DLL
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.TMP.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\.FILE_STORE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\SYSMAIN.SDB
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1014\DC23.EXE
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1014\DC24.EXE
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1014\DC25.EXE
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1014\DC26.EXE
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1014\DC27.EXE
C:\RECYCLER\S-1-5-21-484763869-261903793-1801674531-1005\DC1.BMP
C:\PROGRAM FILES\TRILLIAN\SKINS\171261.EXE
C:\Program Files\RegistryFix082807\RegistryFixBackup\8,29,2007_14,5,6.zip\Config.ini
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
C:\PROGRAM FILES\MY MUSIC\CRADLE OF FILTH - NYMPHETAMINE.MP3
C:\PROGRAM FILES\INSTALLSHIELD INSTALLATION INFORMATION\{BBF10B37-4ED3-11D5-A818-00500435FC18}\SETUP.ILG
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\COMMON\ADMIN.PUB
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\COMMON\POLICY.IPF
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\BACKWEB\7211241\USERS\DEFAULT\DATA\CHANDIR.DAT
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\BACKWEB\7211241\USERS\DEFAULT\DATA\L0000009.FCS
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\BACKWEB\7211241\USERS\DEFAULT\DATA\PRS.DAT
C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\BACKWEB\7211241\USERS\DEFAULT\DATA\STORYDB.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS.LOG
C:\DOCUMENTS AND SETTINGS\DEFAULT USER.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\JENNY(3)\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\JENNY(3)\LOCAL SETTINGS(2)\APPLICATION DATA(2)\ICONCACHE.DB
C:\DOCUMENTS AND SETTINGS\JENNY(3)\LOCAL SETTINGS(2)\APPLICATION DATA(2)\MICROSOFT(2)\WINDOWS(2)\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\JENNY(3)\LOCAL SETTINGS(2)\APPLICATION DATA(2)\MICROSOFT(2)\MEDIA PLAYER(2)\CURRENTDATABASE_219.WMDB
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\SECONDLIFE\CACHE\DATA.DB2.X.3159
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\SECONDLIFE\BROWSER_PROFILE\CACHE\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\SECONDLIFE\BROWSER_PROFILE\CACHE\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\SECONDLIFE\BROWSER_PROFILE\CACHE\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QHKZKDNR.DEFAULT\BOOKMARKS-1.HTML
C:\DOCUMENTS AND SETTINGS\JENNY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\QHKZKDNR.DEFAULT\PREFS.JS
C:\DOCUMENTS AND SETTINGS\BRENT\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\BRENT\LOCAL SETTINGS\TEMP\DDQZPXWE.DLL
C:\DOCUMENTS AND SETTING

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-09-21
F-Secure AVP: 7.0.171, 2007-09-21
F-Secure Orion: 1.2.37, 2007-09-21
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-09-17
F-Secure Pegasus: 1.19.0, 2007-08-18
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

______________________________________________________________________________________________________

Active scan report-






Incident Status Location

Virus:Generic Trojan Disinfected C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070819-194555-573.dll
Virus:Trj/Bho.M Disinfected C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070909-055023-143.dll
Virus:Trj/Bho.M Disinfected C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Desktop\backup-20070909-055023-876.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[.go.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[.overture.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\brent\Application Data\Mozilla\Firefox\Profiles\g6s9hi4m.default\cookies.txt[.zedo.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\brent\Desktop\ComboFix.exe[nircmd.exe]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.advertising.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.zedo.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies-36.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jenny\Application Data\Mozilla\Firefox\Profiles\qhkzkdnr.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\sheila\Application Data\Earthlink\6.0\smbarham@earthlink.net\Cookies\sheila@casalemedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sheila\Cookies\sheila@90594700[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\sheila\Cookies\sheila@www.myaffiliateprogram[1].txt
Virus:Trj/Agent.GNY Disinfected C:\Documents and Settings\sheila\Local Settings\Temp\ddqzpxwe.dll
Virus:Generic Malware Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf
Virus:Trj/Clicker.AEO Disinfected C:\qoobox\Quarantine\C\gerta.exe.vir
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\C\RECYCLER\Q678341.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Agent.GNY Disinfected C:\WINDOWS\system32\cscdll(3.dll
Arguing on the internet is like trying to blow out a light bulb!!!

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 23 September 2007 - 07:45 AM

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#14 fried okra

fried okra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 24 September 2007 - 02:00 PM

FYI- after I used the OTMOVEIT abd rebooted , I had to download the COMBOFIX program again. For some reason it had been deleted.

-----------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 07-09-21.2 - "brent" 2007-09-24 14:44:06.4 - NTFSx86
.

((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-24 14:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 20:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-22 17:13 756,224 --a------ C:\WINDOWS\system32\jcyrvhqh.dll
2007-09-22 17:13 68,608 --a------ C:\WINDOWS\system32\zpnebtjv.dll
2007-09-22 17:13 48,640 --a------ C:\WINDOWS\system32\jyhxyrxv.dll
2007-09-22 17:13 46,592 --a------ C:\WINDOWS\system32\jjplfgmg.dll
2007-09-22 17:13 122,368 --a------ C:\WINDOWS\system32\kqdiphux.dll
2007-09-22 17:13 103,424 --a------ C:\WINDOWS\system32\dpwzoznd.dll
2007-09-22 09:35 61,440 --a------ C:\msfy.exe
2007-09-22 09:35 40,960 --a------ C:\WINDOWS\iexp.exe
2007-09-21 17:10 <DIR> d-------- C:\DOCUME~1\B\APPLIC~1\SUPERAntiSpyware.com
2007-09-20 15:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-20 15:21 <DIR> d-------- C:\DOCUME~1\brent\APPLIC~1\SUPERAntiSpyware.com
2007-09-20 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-20 14:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-18 14:44 81,408 --a------ C:\WINDOWS\system32\adsldpcv.dll
2007-09-04 17:16 <DIR> d-------- C:\Program Files\DivX
2007-08-31 21:19 <DIR> d-------- C:\Program Files\GENIUS TABLET
2007-08-31 21:18 315,392 --a------ C:\WINDOWS\SETUPX32.EXE
2007-08-31 21:17 5,120 --a------ C:\WINDOWS\system32\shell.dll
2007-08-31 19:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-31 19:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-31 19:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-31 19:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-29 13:50 <DIR> d-------- C:\Program Files\RegistryFix082807
2007-08-27 18:56 <DIR> d-------- C:\Program Files\IMVU
2007-08-25 17:10 147,729 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 03:28 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\gtk-2.0
2007-09-24 01:23 --------- d-------- C:\Program Files\mIRC
2007-09-22 22:24 --------- d-------- C:\Program Files\QuickTime
2007-09-22 22:24 --------- d-------- C:\Program Files\My Music
2007-09-22 22:19 --------- d-------- C:\Program Files\EarthLink TotalAccess
2007-09-22 03:31 --------- d-------- C:\Program Files\Trillian
2007-09-11 08:47 --------- d-------- C:\Program Files\XoftSpySE
2007-09-02 13:25 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-30 23:58 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\IMVU
2007-07-27 16:53 --------- d-------- C:\DOCUME~1\brent\APPLIC~1\Corel
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 16:13 --------- d-------- C:\DOCUME~1\Jenny\APPLIC~1\SecondLife
2007-07-26 16:05 --------- d-------- C:\Program Files\SecondLife
2007-07-26 15:35 --------- d-------- C:\Program Files\Diablo II
2007-07-22 17:23 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-22 17:23 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-22 17:23 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-22 13:10 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-02-11 06:24 26344024 --a------ C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-01-10 04:48 1025312 --a------ C:\Program Files\AOEPATCH.exe
2004-10-13 13:17 40662 --a------ C:\Program Files\readermain.htm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABF9012A-A781-414C-8A31-EC60DE747717}]
2007-09-22 17:13 68608 --a------ c:\windows\system32\zpnebtjv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9FFB559-458B-496E-9052-EF4E1BCB991B}]
2007-09-23 17:17 81408 --a------ c:\windows\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-14 00:20]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 16:41]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.exe" [2005-10-18 04:29]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 05:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 03:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2003-12-08 15:51]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 19:10:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qhccholv]
adsldpcv.dll 2007-09-23 17:17 81408 C:\WINDOWS\system32\adsldpcv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fygaokqx

.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 00:02:16 C:\WINDOWS\Tasks\Scheduled scanning task.job"
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2007-09-24 18:38:12 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-15 07:22:55 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 14:46:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-24 14:48:23
.
--- E O F ---
----------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:13 PM, on 9/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\Common\FSLAUNCH.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myembarq.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
O2 - BHO: (no name) - {ABF9012A-A781-414C-8A31-EC60DE747717} - c:\windows\system32\zpnebtjv.dll
O2 - BHO: (no name) - {D9FFB559-458B-496E-9052-EF4E1BCB991B} - c:\windows\system32\adsldpcv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\EMBARQ Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-21-484763869-261903793-1801674531-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-261903793-1801674531-1004\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jenny\Start Menu\Programs\IMVU\Run IMVU.lnk
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qhccholv - C:\WINDOWS\SYSTEM32\adsldpcv.dll
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

--
End of file - 5693 bytes
Arguing on the internet is like trying to blow out a light bulb!!!

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 24 September 2007 - 02:40 PM

Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Leave System Restore turned off.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\msfy.exe
C:\WINDOWS\iexp.exe
C:\WINDOWS\system32\adsldpcv.dll
C:\WINDOWS\system32\jcyrvhqh.dll
C:\WINDOWS\system32\zpnebtjv.dll
C:\WINDOWS\system32\jyhxyrxv.dll
C:\WINDOWS\system32\jjplfgmg.dll
C:\WINDOWS\system32\kqdiphux.dll
C:\WINDOWS\system32\dpwzoznd.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABF9012A-A781-414C-8A31-EC60DE747717}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9FFB559-458B-496E-9052-EF4E1BCB991B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qhccholv]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users