Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Commandservice, Virtuemonde, Etc.


  • Please log in to reply
28 replies to this topic

#1 jbd

jbd

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 28 September 2007 - 12:58 PM

I have a laptop that has been infected. Regular popups. Seems to worse when I'm connected with IE than Netscape. I've run Ad-Aware SE, Spybot, Bid Defender and AVERT stinger. When I run Spybot I find the following:

Microsoft.windowssecuritycenter.antivirusdisabilitynotify
Microsoft.windwinssecuritycenter.firewalldisabilitynotify
Misrosoft.windowssecuritycenter.updatenotify
WONweblaunchercontrol

Up to this point I unclick these four.

I also see Commandservice. Spybot is unable remove this.

I also see Virtumonde. It seems to be removed but comes back.

I'm new at this so the more detailed instruction the better. Thank You in advance for your patience.

Jack

Below is my hjlog.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:01 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\NETSCAPE\NAVIGA~1\NAVIGA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\esqtnyso.dll",sitypnow
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4185 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 30 September 2007 - 02:42 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 30 September 2007 - 11:37 PM

Thank You - I know you guys are swamped.

When Combifix rebooted my PC, I got a popup message as follows:

RUNDLL
error loading C:WINDOWS\System32\esqtnyso.dll
The specified module cound not be found.

I also got several Spybot warnings for various changes which I denied.

Combifix Log and HJT Log below.

ComboFix 07-09-21.2 - "Administrator" 2007-09-30 22:50:13.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.70 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ekcpwvra.dll
C:\WINDOWS\system32\qnesjsxq.dll
C:\WINDOWS\system32\qxsjsenq.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-09-30 22:44 11,840 --a------ C:\WINDOWS\system32\xelnpoxm.dll
2007-09-30 22:05 11,840 --a------ C:\WINDOWS\system32\gtyrdplh.dll
2007-09-29 19:49 <DIR> d-------- C:\VundoFix Backups
2007-09-28 16:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 16:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-27 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-27 09:16 2,353,695 ---hs---- C:\WINDOWS\system32\iijjl.ini2
2007-09-27 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 08:06 2,336,068 ---hs---- C:\WINDOWS\system32\iijjl.bak2
2007-09-25 10:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-09-25 09:54 6,456 --ahs---- C:\WINDOWS\system32\iijjl.bak1
2007-09-25 09:53 311,872 --a------ C:\WINDOWS\system32\ljjii.dll
2007-09-25 09:52 <DIR> d-------- C:\Program Files\Temporary
2007-09-25 09:49 <DIR> d--hs---- C:\WINDOWS\UA
2007-09-25 09:48 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-25 09:48 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-25 09:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 08:10 --------- d-------- C:\Program Files\Brownie
2007-08-08 16:07 --------- d-------- C:\Program Files\TrackPro
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-28_203835.77 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 3,200 2007-10-01 03:39:34 C:\WINDOWS\SoftwareDistribution\EventCache\{D0E512CC-D778-4FFF-B0E4-89FE09B3B82C}.bin
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{126C83C8-61AD-4DB1-A56E-ABCAC8206BFC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4147D053-391D-4512-8AF0-8F9A00EE06FD}]
2007-09-25 09:53 311872 --a------ C:\WINDOWS\system32\ljjii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45AE89AB-F42C-4A06-80D7-4A3E0911DF38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C68C06C-5D00-45C1-B9FF-B64BE15F24EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
C:\Program Files\ISM\BndDrive4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B7DED07-155F-49E2-A97C-6988A6AE8798}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A38DBA58-2165-44A5-94BA-09A328C1121E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B386E8ED-DFA6-42FD-937D-39DCF9E39734}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7D9D9E6-BEFB-4498-BDD5-79812EB79887}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4437A00-F0ED-4B42-8F6E-408837CEEDB2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E253F962-854E-4A54-ABFA-E41E3CD53F1B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Netscape"="C:\Program Files\Common Files\ISPCOMP\InstallService.exe" [2006-10-19 15:52]
"NetscapeClient"="" []
"FolderView"="C:\WINDOWS\system32\esqtnyso.dll" []
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjii.dll

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S3 UnlockerDriver4;UnlockerDriver4 Driver;\??\C:\WINDOWS\system32\UnlockerDriver4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-06-12 20:53:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 22:56:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\yhqihgve.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-30 23:03:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 23:03
C:\ComboFix2.txt ... 2007-09-30 17:50
C:\ComboFix3.txt ... 2007-09-30 17:01
C:\combofix929.txt ... 2007-09-29 20:25
.
--- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:32 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\esqtnyso.dll",sitypnow
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3778 bytes

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 01 October 2007 - 12:19 PM

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    DirLook::
    C:\Program Files\Temporary
    C:\WINDOWS\UA
    C:\WINDOWS\system32\GB9
    C:\WINDOWS\system32\DL1
    C:\Temp
    File::
    C:\WINDOWS\system32\xelnpoxm.dll
    C:\WINDOWS\system32\gtyrdplh.dll
    C:\WINDOWS\system32\iijjl.ini2
    C:\WINDOWS\system32\iijjl.bak2
    C:\WINDOWS\system32\iijjl.bak1
    C:\WINDOWS\system32\ljjii.dll
    RootKit::
    C:\WINDOWS\system32\yhqihgve.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{126C83C8-61AD-4DB1-A56E-ABCAC8206BFC}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4147D053-391D-4512-8AF0-8F9A00EE06FD}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45AE89AB-F42C-4A06-80D7-4A3E0911DF38}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C68C06C-5D00-45C1-B9FF-B64BE15F24EE}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B7DED07-155F-49E2-A97C-6988A6AE8798}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A38DBA58-2165-44A5-94BA-09A328C1121E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B386E8ED-DFA6-42FD-937D-39DCF9E39734}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7D9D9E6-BEFB-4498-BDD5-79812EB79887}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4437A00-F0ED-4B42-8F6E-408837CEEDB2}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E253F962-854E-4A54-ABFA-E41E3CD53F1B}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FolderView"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#5 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 October 2007 - 02:17 PM

You guys are incredible. This looks like magic to me.

Combofix and HJT logs below.


ComboFix 07-09-21.2 - "Administrator" 2007-10-01 12:54:05.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\xelnpoxm.dll
C:\WINDOWS\system32\gtyrdplh.dll
C:\WINDOWS\system32\iijjl.ini2
C:\WINDOWS\system32\iijjl.bak2
C:\WINDOWS\system32\iijjl.bak1
C:\WINDOWS\system32\ljjii.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\eiytxcyt.ini
C:\WINDOWS\system32\gtyrdplh.dll
C:\WINDOWS\system32\iijjl.bak1
C:\WINDOWS\system32\iijjl.bak2
C:\WINDOWS\system32\iijjl.ini2
C:\WINDOWS\system32\kqebyxvy.ini
C:\WINDOWS\system32\ljjii.dll
C:\WINDOWS\system32\mciyeabu.dll
C:\WINDOWS\system32\tgcahluv.dll
C:\WINDOWS\system32\txiarfyo.dll
C:\WINDOWS\system32\tycxtyie.dll
C:\WINDOWS\system32\ubaeyicm.ini
C:\WINDOWS\system32\xelnpoxm.dll
C:\WINDOWS\system32\yhqihgve.dll
C:\WINDOWS\system32\yvxybeqk.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-10-01 09:19 11,840 --a------ C:\WINDOWS\system32\gsvksvgk.dll
2007-09-30 23:01 11,840 --a------ C:\WINDOWS\system32\qghdphco.dll
2007-09-29 19:49 <DIR> d-------- C:\VundoFix Backups
2007-09-28 16:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 16:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-27 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-27 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-25 10:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-09-25 09:52 <DIR> d-------- C:\Program Files\Temporary
2007-09-25 09:49 <DIR> d--hs---- C:\WINDOWS\UA
2007-09-25 09:48 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-25 09:48 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-25 09:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 08:10 --------- d-------- C:\Program Files\Brownie
2007-08-08 16:07 --------- d-------- C:\Program Files\TrackPro
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\Program Files\Temporary ----

2007-09-25 09:52 46592 --a------ C:\Program Files\Temporary\wininstall.exe

---- Directory of C:\WINDOWS\UA ----


---- Directory of C:\WINDOWS\system32\GB9 ----

2007-09-23 09:13 9814 --a------ C:\WINDOWS\system32\GB9\wrdrvrdl23.exe

---- Directory of C:\WINDOWS\system32\DL1 ----

2007-08-02 19:44 169147 --a------ C:\WINDOWS\system32\DL1\MMEMDT83122.exe

---- Directory of C:\Temp ----



((((((((((((((((((((((((((((( snapshot_2007-09-28_203835.77 )))))))))))))))))))))))))))))))))))))))))
.
-c----w 451,584 2002-12-31 12:00:00 C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys
-c----w 174,592 2002-12-31 12:00:00 C:\WINDOWS\$NtUninstallKB914389$\rdbss.sys
-c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe
-c----w 371,424 2005-10-12 23:12:34 C:\WINDOWS\$NtUninstallKB914389$\spuninst\updspapi.dll
-c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe
-c----w 371,424 2005-10-12 23:12:34 C:\WINDOWS\$NtUninstallKB928843$\spuninst\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\spuninst.exe
----a-w 1,104,896 2007-06-26 06:08:16 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\sp2gdr\msxml3.dll
----a-w 1,104,896 2007-06-26 06:06:12 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\sp2qfe\msxml3.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\spuninst.exe
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\sp2gdr\tzchange.exe
----a-w 60,416 2007-07-18 10:33:06 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\sp2qfe\tzchange.exe
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\updspapi.dll
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\spuninst.exe
----a-w 282,112 2007-06-19 13:37:21 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\sp2qfe\gdi32.dll
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\updspapi.dll
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\spuninst.exe
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\updspapi.dll
----a-w 13,536 2005-06-28 15:20:24 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spmsg.dll
----a-w 213,216 2005-06-28 15:23:26 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spuninst.exe
----a-w 22,752 2005-06-28 15:21:34 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spupdsvc.exe
----a-w 4,734,976 2007-04-30 07:22:16 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\wmp.dll
----a-w 716,000 2005-06-28 15:24:52 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\update\update.exe
----a-w 371,424 2005-06-28 15:23:54 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\spuninst.exe
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\spuninst.exe
----a-w 549,888 2007-05-17 11:25:21 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\sp2qfe\oleaut32.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\spuninst.exe
----a-w 851,968 2007-06-26 15:16:01 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\sp2qfe\vgx.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\updspapi.dll
----a-w 92,504 2007-07-31 00:19:20 C:\WINDOWS\system32\cdm.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\system32\spmsg.dll
----a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\wuapi.dll
----a-w 53,080 2007-07-31 00:19:16 C:\WINDOWS\system32\wuauclt.exe
----a-w 1,712,984 2007-07-31 00:19:42 C:\WINDOWS\system32\wuaueng.dll
----a-w 325,976 2007-07-31 00:19:32 C:\WINDOWS\system32\wucltui.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\wups2.dll
----a-w 203,096 2007-07-31 00:19:28 C:\WINDOWS\system32\wuweb.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
.
----a-w 75,544 2005-05-26 09:16:24 C:\WINDOWS\system32\cdm.dll
----a-w 14,048 2005-02-25 03:35:05 C:\WINDOWS\system32\spmsg.dll
----a-w 465,176 2005-05-26 09:16:30 C:\WINDOWS\system32\wuapi.dll
----a-w 124,184 2005-05-26 09:16:30 C:\WINDOWS\system32\wuauclt.exe
----a-w 1,343,768 2005-05-26 09:16:30 C:\WINDOWS\system32\wuaueng.dll
----a-w 127,256 2005-05-26 09:16:30 C:\WINDOWS\system32\wucltui.dll
----a-w 41,240 2005-05-26 09:16:30 C:\WINDOWS\system32\wups.dll
----a-w 18,200 2005-05-26 09:16:30 C:\WINDOWS\system32\wups2.dll
----a-w 173,536 2005-05-26 09:16:30 C:\WINDOWS\system32\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
C:\Program Files\ISM\BndDrive4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Netscape"="C:\Program Files\Common Files\ISPCOMP\InstallService.exe" [2006-10-19 15:52]
"NetscapeClient"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S3 UnlockerDriver4;UnlockerDriver4 Driver;\??\C:\WINDOWS\system32\UnlockerDriver4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-06-12 20:53:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 13:01:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 13:02:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 13:02
C:\ComboFix2.txt ... 2007-09-30 23:03
C:\ComboFix3.txt ... 2007-09-30 17:50
C:\combofix929.txt ... 2007-09-29 20:25
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:37 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4105 bytes

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 01 October 2007 - 02:22 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Folder::
    C:\Program Files\Temporary
    C:\WINDOWS\UA
    C:\WINDOWS\system32\GB9
    C:\WINDOWS\system32\DL1
    C:\Temp
    C:\VundoFix Backups
    C:\Program Files\ISM
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
    File::
    C:\WINDOWS\system32\gsvksvgk.dll
    C:\WINDOWS\system32\qghdphco.dll
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#7 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 October 2007 - 04:41 PM

Java updated

Below are my Combifix and HJT logs

ComboFix 07-09-21.2 - "Administrator" 2007-10-01 16:30:41.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.110 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\gsvksvgk.dll
C:\WINDOWS\system32\qghdphco.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\bpafmrvx.dll.bad
C:\VundoFix Backups\cxnldlfe.dll.bad
C:\VundoFix Backups\osyntqse.ini.bad
C:\VundoFix Backups\qgkwiejt.dll.bad
C:\VundoFix Backups\ycbwpynx.dll.bad
C:\WINDOWS\system32\DL1
C:\WINDOWS\system32\DL1\MMEMDT83122.exe
C:\WINDOWS\system32\GB9
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
C:\WINDOWS\system32\gsvksvgk.dll
C:\WINDOWS\system32\qghdphco.dll
C:\WINDOWS\UA

.
((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-09-28 16:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 16:25 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-27 16:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-27 09:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-25 10:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 08:10 --------- d-------- C:\Program Files\Brownie
2007-08-08 16:07 --------- d-------- C:\Program Files\TrackPro
.

((((((((((((((((((((((((((((( snapshot_2007-09-28_203835.77 )))))))))))))))))))))))))))))))))))))))))
.
-c----w 451,584 2002-12-31 12:00:00 C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys
-c----w 174,592 2002-12-31 12:00:00 C:\WINDOWS\$NtUninstallKB914389$\rdbss.sys
-c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe
-c----w 371,424 2005-10-12 23:12:34 C:\WINDOWS\$NtUninstallKB914389$\spuninst\updspapi.dll
-c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe
-c----w 371,424 2005-10-12 23:12:34 C:\WINDOWS\$NtUninstallKB928843$\spuninst\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\spuninst.exe
----a-w 1,104,896 2007-06-26 06:08:16 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\sp2gdr\msxml3.dll
----a-w 1,104,896 2007-06-26 06:06:12 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\sp2qfe\msxml3.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\10e5243f370a1f28a3045f4c40870f19\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\spuninst.exe
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\sp2gdr\tzchange.exe
----a-w 60,416 2007-07-18 10:33:06 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\sp2qfe\tzchange.exe
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\2d96d8aba9a2dff89a10de77705d6434\update\updspapi.dll
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\spuninst.exe
----a-w 282,112 2007-06-19 13:37:21 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\sp2qfe\gdi32.dll
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\39a67eb647584bf044c95c49b4bf8722\update\updspapi.dll
----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\spmsg.dll
----a-w 213,216 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\spuninst.exe
----a-w 22,752 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\spcustom.dll
----a-w 716,000 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\update.exe
----a-w 371,424 2006-01-19 19:29:19 C:\WINDOWS\SoftwareDistribution\Download\6b1eb7074a817bb98d49a4ae9242f4d3\update\updspapi.dll
----a-w 13,536 2005-06-28 15:20:24 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spmsg.dll
----a-w 213,216 2005-06-28 15:23:26 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spuninst.exe
----a-w 22,752 2005-06-28 15:21:34 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\spupdsvc.exe
----a-w 4,734,976 2007-04-30 07:22:16 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\wmp.dll
----a-w 716,000 2005-06-28 15:24:52 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\update\update.exe
----a-w 371,424 2005-06-28 15:23:54 C:\WINDOWS\SoftwareDistribution\Download\6c582d950e8e569fbc534ce8a9e66be8\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\spuninst.exe
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\spuninst.exe
----a-w 549,888 2007-05-17 11:25:21 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\sp2qfe\oleaut32.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\a37be17708731e77e17b179ea94c45de\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\spuninst.exe
----a-w 851,968 2007-06-26 15:16:01 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\sp2qfe\vgx.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:29 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\update.exe
----a-w 371,424 2005-10-12 23:12:34 C:\WINDOWS\SoftwareDistribution\Download\d201072cb58fab95908d9431c4a9ed6f\update\updspapi.dll
----a-w 92,504 2007-07-31 00:19:20 C:\WINDOWS\system32\cdm.dll
----a-w 135,168 2007-07-12 06:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 06:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 07:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\system32\spmsg.dll
----a-w 549,720 2007-07-31 00:19:36 C:\WINDOWS\system32\wuapi.dll
----a-w 53,080 2007-07-31 00:19:16 C:\WINDOWS\system32\wuauclt.exe
----a-w 1,712,984 2007-07-31 00:19:42 C:\WINDOWS\system32\wuaueng.dll
----a-w 325,976 2007-07-31 00:19:32 C:\WINDOWS\system32\wucltui.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\wups2.dll
----a-w 203,096 2007-07-31 00:19:28 C:\WINDOWS\system32\wuweb.dll
----a-w 33,624 2007-07-31 00:18:40 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
----a-w 43,352 2007-07-31 00:19:12 C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
.
----a-w 75,544 2005-05-26 09:16:24 C:\WINDOWS\system32\cdm.dll
----a-w 49,248 2005-06-03 07:24:06 C:\WINDOWS\system32\java.exe
----a-w 49,250 2005-06-03 07:24:14 C:\WINDOWS\system32\javaw.exe
----a-w 127,078 2005-06-03 08:52:56 C:\WINDOWS\system32\javaws.exe
----a-w 14,048 2005-02-25 03:35:05 C:\WINDOWS\system32\spmsg.dll
----a-w 465,176 2005-05-26 09:16:30 C:\WINDOWS\system32\wuapi.dll
----a-w 124,184 2005-05-26 09:16:30 C:\WINDOWS\system32\wuauclt.exe
----a-w 1,343,768 2005-05-26 09:16:30 C:\WINDOWS\system32\wuaueng.dll
----a-w 127,256 2005-05-26 09:16:30 C:\WINDOWS\system32\wucltui.dll
----a-w 41,240 2005-05-26 09:16:30 C:\WINDOWS\system32\wups.dll
----a-w 18,200 2005-05-26 09:16:30 C:\WINDOWS\system32\wups2.dll
----a-w 173,536 2005-05-26 09:16:30 C:\WINDOWS\system32\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Netscape"="C:\Program Files\Common Files\ISPCOMP\InstallService.exe" [2006-10-19 15:52]
"NetscapeClient"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 22:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys
S3 UnlockerDriver4;UnlockerDriver4 Driver;\??\C:\WINDOWS\system32\UnlockerDriver4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-06-12 20:53:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 16:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 16:36:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 16:36
C:\ComboFix2.txt ... 2007-10-01 13:02
C:\ComboFix3.txt ... 2007-09-30 23:03
C:\combofix929.txt ... 2007-09-29 20:25
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:05 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4257 bytes

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 01 October 2007 - 04:55 PM

You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download & install a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems


#9 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 09:25 AM

Good Morning.

I installed Zone Alarm last night and Avast this morning. Avast did a scan and it found several things which I deleted. Unfortunately, now I can't log onto the internet. I've tried rebooting the computer but that didn't help. Do I need to uninstall Avast or is there a setting I need to change?

What additional information do I need to provide?

#10 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 10:27 AM

Okay. I've shut down Zone Alarm (right click on the icon) and I have internet access back. There must be a setting that needs to be changed. Or maybe I'll uninstall and try and different firewall.

In the meantime I'll go ahead and scan with ESET and submit the ESET log and a new HJT log.

#11 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 11:43 AM

ESET log and HJT log below.


# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2566 (20071002)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=58445ced7bca214d878a554700f29283
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-10-02 04:32:06
# local_time=2007-10-02 11:32:06 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=123503
# found=9
# scan_time=3708
C:\qoobox\Quarantine\catchme2007-09-28_203434.44.zip Win32/Adware.Virtumonde application EC8B5853F806DDE96A710B6EB3BB8F65
C:\qoobox\Quarantine\catchme2007-09-28_203434.44.zip ZIP xxywwwx.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\DOWNLO~1\UWA7P_0001_N99M2908NetInstaller.exe.vir Win32/Adware.WinFixer application 5C2D26B644124C28574DEF7E3263E71E
C:\qoobox\Quarantine\C\WINDOWS\system32\awturpn.dll.vir Win32/Adware.Virtumonde application 275CBCBE24A20A1B5F89C16B3CAD8907
C:\qoobox\Quarantine\C\WINDOWS\system32\ssqrqqo.dll.vir Win32/Adware.Virtumonde application 275CBCBE24A20A1B5F89C16B3CAD8907
C:\qoobox\Quarantine\C\WINDOWS\system32\vtuttrs.dll.vir Win32/Adware.Virtumonde application 275CBCBE24A20A1B5F89C16B3CAD8907
C:\qoobox\Quarantine\C\WINDOWS\system32\xxyvuvs.dll.vir Win32/Adware.Virtumonde application 275CBCBE24A20A1B5F89C16B3CAD8907
C:\qoobox\Quarantine\C\WINDOWS\system32\xxywxxy.dll.vir Win32/Adware.Virtumonde application 275CBCBE24A20A1B5F89C16B3CAD8907
C:\qoobox\Quarantine\C\WINDOWS\system32\GB9\wrdrvrdl23.exe.vir probably a variant of Win32/TrojanDownloader.Small.EQN trojan F8613634EF5BB9050E95739B82DF0B06



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:28 AM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5502 bytes

#12 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 11:51 AM

Oops - forgot to include a description of any remaining problems.

I haven't seen any popups since yesterday.

Zone Alarm is blocking internet access so I'll need to figure that out.

Right now the PC is very sluggish (as opposed to yesterday evening when it was faster than I've seen it in a long time). Since that time I've downloaded avast and performed the ESET scan.

Thank You!

#13 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 01:21 PM

I've come across an additional problem.

In my email program, I have the option to "View Printable Version" of an email. I used to be able to click on this and a printer friendly version of the email would come up. When I click on it now, the printer friendly version starts to come up and then disappears.

I've noted that when I just move the cursor over this option (not clicking on it) I see the words "java script:printFormat();" (without the quotes) next to the IE icon at the bottom of the page.

Thank You!

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 02 October 2007 - 02:02 PM

It seems that you've managed to pick up some more malware

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply


#15 jbd

jbd
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 02 October 2007 - 02:38 PM

main.txt and extra.txt below

Thank You


Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-02 14:29:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2007-10-02 19:30:22 UTC - RP101 - Deckard's System Scanner Restore Point
83: 2007-10-01 21:30:31 UTC - RP100 - ComboFix created restore point
82: 2007-10-01 21:22:10 UTC - RP99 - Installed Java™ 6 Update 2
81: 2007-10-01 21:14:29 UTC - RP98 - Removed J2SE Runtime Environment 5.0 Update 4
80: 2007-10-01 17:53:43 UTC - RP97 - ComboFix created restore point


-- First Restore Point --
1: 2007-10-01 05:10:46 UTC - RP18 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:37 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1:5400;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.4\webbuying.exe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5551 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 NAVENG - c:\progra~1\common~1\symant~1\virusd~1\20050412.023\naveng.sys (file missing)
S3 NAVEX15 - c:\progra~1\common~1\symant~1\virusd~1\20050412.023\navex15.sys (file missing)
S3 SYMDNS - c:\windows\system32\drivers\symdns.sys (file missing)
S3 SYMFW - c:\windows\system32\drivers\symfw.sys (file missing)
S3 SYMIDS - c:\windows\system32\drivers\symids.sys (file missing)
S3 SYMNDIS - c:\windows\system32\drivers\symndis.sys (file missing)
S3 SYMREDRV - c:\windows\system32\drivers\symredrv.sys (file missing)
S3 UnlockerDriver4 (UnlockerDriver4 Driver) - c:\windows\system32\unlockerdriver4.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-02 and 2007-10-02 -----------------------------

2007-10-02 10:29:22 0 d-------- C:\WINDOWS\LastGood
2007-10-02 08:26:04 0 d-------- C:\Program Files\Alwil Software
2007-10-01 17:34:40 0 d-------- C:\Program Files\EsetOnlineScanner
2007-10-01 17:27:53 4225056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-01 17:22:43 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-01 17:22:35 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-01 17:22:16 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-10-01 17:21:32 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-01 17:20:21 0 d-------- C:\WINDOWS\Internet Logs
2007-10-01 16:22:25 0 d-------- C:\Program Files\Java
2007-10-01 16:22:20 0 d-------- C:\Program Files\Common Files\Java
2007-10-01 16:15:06 0 d-------- C:\WINDOWS\system32\appmgmt
2007-09-27 16:25:05 0 d-------- C:\WINDOWS\BDOSCAN8
2007-09-27 16:23:18 0 d-------- C:\Program Files\Trend Micro
2007-09-27 09:11:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 11:51:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-25 10:36:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2007-10-01 21:03:59 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-01 16:22:20 0 d-------- C:\Program Files\Common Files
2007-09-28 08:10:18 0 d-------- C:\Program Files\Brownie
2007-09-13 20:52:54 61 --a------ C:\Documents and Settings\Administrator\Application Data\ieproxy.bak
2007-08-16 10:12:37 34 --a------ C:\WINDOWS\system32\BD5240.DAT
2007-08-13 17:13:57 0 d-------- C:\Program Files\Messenger
2007-08-08 16:30:12 19456 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2007-08-08 16:07:35 0 d-------- C:\Program Files\TrackPro
2007-08-02 18:11:28 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2007-08-02 18:11:14 241664 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2007-07-27 15:49:02 225355 --a------ C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 15:49:02 196683 --a------ C:\WINDOWS\system32\lnod32apiA.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Netscape"="C:\Program Files\Common Files\ISPCOMP\InstallService.exe" [10/19/2006 03:52 PM]
"NetscapeClient"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/23/2007 10:54 PM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [07/14/2005 09:35 PM]
"WebBuying"="C:\Program Files\Web Buying\v1.8.4\webbuying.exe" []
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []
"WinAble"="C:\Program Files\WinAble\winable.exe" []
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/2005 12:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoSaveSettings"=0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-10-02 14:33:29 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 255.4 MiB / 84.04 MiB
Pagefile Memory (total/avail): 618.13 MiB / 416.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1973.19 MiB

C: is Fixed (NTFS) - 18.63 GiB total, 14.21 GiB free.
D: is CDROM (No Media)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - IBM-DJSA-220 - 18.63 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.63 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.

FW: ZoneAlarm Firewall v7.0.408.000 (Check Point, LTD.) Disabled
FW: Symantec Client Firewall v8.6.0.80 (Symantec Corporation)
AV: avast! antivirus 4.7.1043 [VPS 000778-1] v4.7.1043 (ALWIL Software)
AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation) Disabled Outdated

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=P-4843CF1580844
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\P-4843CF1580844
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=P-4843CF1580844
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.20 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Brother HL-5240 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7FA66EC9-B6F4-4D32-B007-C8C922FBED6F}\SETUP.exe" -l0x9 -removeonly /uninst
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD2one 1.5.1 --> C:\Program Files\DVD2one\uninst.exe
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hoyle Board Games 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB1CCBED-FA66-4D30-BFD7-EF20AD0A81FE}\setup.exe" -l0x9
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.0 (build 0166) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft ActiveX Control Pad --> C:\Program Files\ActiveX Control Pad\Setup\Remove.exe
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape Internet Service --> "C:\Program Files\Netscape Internet Service\uninstall.exe"
Netscape Navigator (9.0b1) --> C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
Netscape Navigator (9.0b2) --> C:\PROGRA~1\NETSCAPE\Navigator 9\uninstall\helper.exe
PowerDVD --> C:\PROGRA~1\CYBERL~1\PowerDVD\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\HTMLHE~1\UNWISE.EXE C:\PROGRA~1\CYBERL~1\PowerDVD\DOCUME~1\ADMINI~1\APPLIC~1\MICROS~1\HTMLHE~1\INSTALL.LOG
QuickTime Alternative 1.50 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.42 --> "C:\Program Files\Real Alternative\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TrackPro 2.5.199 --> C:\Program Files\TrackPro\uninst.exe
Trillian Pro 3.1 Build 121 Final --> C:\PROGRA~1\TRILLI~1\PROGRA~1\TRILLI~1\UNWISE.EXE C:\PROGRA~1\TRILLI~1\PROGRA~1\TRILLI~1\INSTALL.LOG
Versal FileDownload ActiveX Control Trial Version --> C:\Program Files\Universal\UFileDownloadD\USetup.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WONplay --> C:\Program Files\WON\WONplay\WONun.exe C:\program files\WON\wonplay.ex
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type402 / Warning
Event Submitted/Written: 10/02/2007 09:08:26 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type383 / Error
Event Submitted/Written: 09/30/2007 05:54:40 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type378 / Error
Event Submitted/Written: 09/30/2007 05:06:18 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type373 / Error
Event Submitted/Written: 09/30/2007 04:49:31 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type360 / Error
Event Submitted/Written: 09/29/2007 07:52:29 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3937 / Error
Event Submitted/Written: 10/02/2007 08:34:52 AM / 10/02/2007 08:52:53 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type3800 / Error
Event Submitted/Written: 10/01/2007 00:58:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type3799 / Error
Event Submitted/Written: 10/01/2007 00:58:25 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type3521 / Error
Event Submitted/Written: 09/29/2007 08:56:54 PM / 09/29/2007 08:56:55 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type3520 / Error
Event Submitted/Written: 09/29/2007 08:56:49 PM / 09/29/2007 08:56:55 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2007-10-02 14:33:29 ------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users