Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:small-epj Trojan Is On My Computer


  • Please log in to reply
5 replies to this topic

#1 sandorman

sandorman

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 14 October 2007 - 12:40 AM

Ok, last time I got a generic response that said I was posting the hijackthis log in the wrong place and asking me to read the directions, even though I said that it wouldn't accept the hijackthis log and that was why I was posting it there. I'd appreciate someone reading what I say. http://www.bleepingcomputer.com/forums/ind...9&hl=trojan was the first one. Here's the log using the newer version of hijackthis as if it makes any difference.

The problem is startdrv.exe as I said before. It's in windows/system/temp. Absolutely everything finds it. I don't need someone telling me to download 5 more spyware programs I've never heard of that'll all find it and then fail to delete it. I've tried Spyware Doctor, AVG 7.5, Counterspy, now superantispyware, I ran avenger on the startdrv file... it caused more trouble than it was worth. Because it didn't delete the original and it made a backup of it in a new c:\avenger directory which I finally managed to get rid of.

Here's what I think is happening. It deleted it, but it regenerated really fast. I'm posting the avenger log below. The final thing I ran that got rid of it from the c:\avenger directory was telling it to delete it from the windows\temp directory, then the avenger directory, then the windows\temp directory and then the avenger directory. The odd thing is that it SAID that it successfully deleted it from the windows\temp directory, and when it got to the second command for the same file, it said the file couldn't be found. But when windows was completely started up, there it was, startdrv.exe in the windows\temp directory. I'm putting the avenger log at the end of the hijackthis log. And I'm also putting a small selection of what the virus looks like when I open it with notepad. Not the whole virus. Just one part that I wonder if it has any useful information at.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:31 AM, on 10/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\gearsec.exe
c:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\media things\games\skoolcrp &More\May 20 2007\S drive\utorrent.exe
D:\backup of c drive\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medexamtools.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP6100b] C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NI.UWAS7_0001_N99M3108] "C:\DOCUME~1\User\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmnext06] C:\Documents and Settings\User\wintst.dll
O4 - HKLM\..\Run: [SBCSTray] c:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_l0b.dll
O20 - Winlogon Notify: !SASWinLogon - c:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Layer Gateway Service ALGTermService (ALGTermService) - Unknown owner - c:\7D.tmp.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 5668 bytes




Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uelttklj

*******************

Script file located at: \??\C:\fonsvpwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\temp\startdrv.exe deleted successfully.
File c:\avenger\startdrv.exe deleted successfully.


File c:\windows\temp\startdrv.exe not found!
Deletion of file c:\windows\temp\startdrv.exe failed!

Could not process line:
c:\windows\temp\startdrv.exe
Status: 0xc0000034

File c:\avenger\startdrv.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




And now a piece of the virus (the first 10% of it or so) - I wonder if the stuff at the end of it could be useful in figuring out what it does and why it's regenerating and maybe where it's regenerating FROM?:


MZ   @  !L!This program cannot be run in DOS mode.

$ PE L F    \ 0  @      Y        ( @ F  ( .text     `.data  @ .rsrc F @ H
@ @      . > R b U#@ % #@  : C - 5#@ - P5#@     UVW}u M_^ UVS#@  @ Ht
#@ 
#@ 3QQj @ #@ 5#@ jP$@ #@ #@ #@ 5#@ V5#@ 5#@ 5#@ h [^UUM 4BIu#@  VSW3ҹ 5#@ X5#@ [5#@ _W O3ΊtB u3҅uY
#@ _[^USVW][<C4#@ CEj@h 0 sPs4 @ sTuV EGO wPQ(MuC(_^[ U`3uƃ<  ދC EP$@ E3u{}MAAQu@ > u{ u3a S3td
 I0#@ Y[5#@ @ 5 $@ @ S#@ 3ɵ+K uQ#@ [S5#@ 5#@ [X ؾ"@ F C#@  [Ë#@  u#@  #@ ù"@ A$@ U`"@ E#@  Aa S"@   $@ [U`=#@ =#@ "@ 
#@ Faj jj h@ j j  @ #@  $@ #@ 5 @   V5#@ @ dž U@ V5#@ @ 5#@ @ 5#@ @ Ud @% -  f8MZu
*@ AQP$@ )LoadLibraryA GetCurrentThread HeapAlloc @ $@ h8@ 5$@ @ $@ hI@ 5$@ @ $@ US3PPj @ #@ h` jP$@ #@ SSj @ $@ h P jP$@ #@ j #@ PEP9r!#@ +#@ ;#@ |N$E#@ K;~u #u*uoEE[Uj j j uj j  @  $@ P@  ̴ r       . > R b H CreateThread )GetProcAddress RGetThreadContext HeapCreate HeapDestroy ResumeThread cSetThreadContext uSuspendThread VirtualAlloc KERNEL32.dll

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 04:06 AM

sandorman are you still needing help with this computer?

#3 sandorman

sandorman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 17 October 2007 - 05:46 AM

First question yes, second question no. Yes, I need help with my computer. No, no I didn't delete it. No one would help me. They criticized me for posting my log in the wrong place after it wouldn't accept my log in the right place so I downloaded the thing again and did it again and reposted and you're the only one to say anything in response. It's been on my computer for 2 and a half weeks now. It's still there. c:\windows\temp\startdrv.exe

The counterspy antivirus trial program I downloaded is about to expire. Not that it matters, it was pretty worthless, it couldn't even find the HKLM entry that corresponded with startdrv. At least superantispyware did that, though it couldn't delete it.

Edited by sandorman, 17 October 2007 - 08:47 AM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 09:54 AM

Allrighty then,less attitude and more happy thoughts,then we can procede with removing this pest from your pc and attempt to return you to the sanity of your usual PC.....good enough??


That being said,Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall



If anything onboard tosses up a prompt about a script running,allow it so combofix can procede with its fixing.

#5 sandorman

sandorman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 17 October 2007 - 02:47 PM

Well, it LOOKS like that thing was a real brute force solution. It didn't just delete startdrv.exe, it cleared out every single thing that was in my c:\windows\temp directory as well as several others and also a bunch of .dll files. Could it be that these particular .dll files are viruses that absolutely nothing else identified? If so, why would it knock out whole folders like that! Which does make me worried - is there any chance it did some stuff that maybe it shouldn't have, like the collateral damage from taking out a cockroach with a rocket launcher? My computer does seem to WORK, I'll give it that.

By the way, assuming the virus is truly gone, by any chance would you know how to fix my computer's display properties? I rightclick on my windows desktop and the display properties window comes up, I select the 'desktop' tab and the word 'background' is greyed out along with 'browse' and none of the background images are selectable. I can put a picture in the 'my pictures' folder and then it gives me an option to 'set as desktop background' but as soon as anything happens, like explorer crashes or I reboot the computer, it's gone again, replaced again with the blue background - my old active desktop, the 'vortec space' still shows but only for a moment while windows is loading and then it goes back to solid blue. This damage was done on the first day by the virus when it replaced my active desktop with a message telling me my computer was infected - the first antivirus software I found removed that but apparently left something with a big hole in it because it stopped functioning.

That 1480486225.dat file it says was created on October 1 (or any of those really arbitrarily named files created on the night of 9/30) - Sept. 30 at about 9 pm was when I first got the virus and October 1 was when it really was at its peak of activity and was being fruitful and multiplying and putting lots of other stuff on my computer - are any of these things you think I should kill?

One other thing - what do I do with the 52 MEGABYTES of stuff it put in the c:\qoobox directory? What exactly is this stuff? It sure is bigger than the original program.

Well, here are the two logfiles, if they're important any more:

ComboFix 07-10-17.8@ - User 2007-10-17 14:52:34.1 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\temp\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\My Documents\FNTS~1
C:\Program Files\Temporary
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ystem3~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\LEGACY_RUNTIME2
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 15:29 <DIR> d-------- C:\WUTemp
2007-10-17 14:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 14:45 1,390,345 --a------ C:\temp\ComboFix.exe
2007-10-14 01:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-12 21:19 <DIR> d-------- C:\Program Files\QuickSFV
2007-10-08 09:17 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-10-07 15:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-07 15:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 15:26 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-10-07 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-07 15:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-06 23:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-06 23:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-06 23:13 54,200 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2007-10-06 23:13 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-06 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-06 12:57 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-05 13:57 <DIR> d--h----- C:\Documents and Settings\User\Application Data\GTek
2007-10-05 13:57 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-10-05 13:56 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-10-05 13:56 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2007-10-01 18:21 <DIR> d-------- C:\Program Files\FBM Software
2007-10-01 18:12 1,508 --ah----- C:\WINDOWS\system32\1480486225.dat
2007-10-01 12:05 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-10-01 12:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 12:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 12:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-01 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-30 21:16 <DIR> d-------- C:\WINDOWS\system32\vMW10a
2007-09-30 21:15 <DIR> d--hs---- C:\WINDOWS\U2FuZG9yIFN3YXJ0eg
2007-09-30 21:15 <DIR> d-------- C:\WINDOWS\system32\ex1
2007-09-28 21:03 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-28 19:07 <DIR> d-------- C:\WINDOWS\Motive
2007-09-28 19:06 <DIR> d-------- C:\Program Files\Virtual Assistant
2007-09-28 19:06 <DIR> d-------- C:\Program Files\Motive
2007-09-28 19:03 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-28 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2007-09-21 21:36 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 18:43 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2007-10-16 18:17 16,788 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-13 16:57 --------- d-----w C:\Program Files\ABC
2007-10-11 13:52 --------- d-----w C:\Program Files\TextToMp3
2007-10-09 23:33 --------- d-----w C:\Program Files\QuickTime
2007-10-02 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-29 01:06 --------- d-----w C:\Program Files\Java
2007-09-21 19:07 --------- d-----w C:\Program Files\MPLAB
2007-09-20 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-08-19 14:58 --------- d-----w C:\Documents and Settings\User\Application Data\RegSweep
2007-04-11 02:05 57,359 ----a-w C:\Program Files\characters.sum
2006-11-28 23:18 94,080 ----a-w C:\Documents and Settings\User\Application Data\ezplay.sys
2006-11-28 23:18 81,920 ----a-w C:\Documents and Settings\User\Application Data\ezpinst.exe
2006-11-28 23:18 47,360 ----a-w C:\Documents and Settings\User\Application Data\pcouffin.sys
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2005-02-07 20:53 29,296 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-06-09 01:30:17 8 --sha-r C:\WINDOWS\system32\48D5DB971F.sys
2005-01-19 10:30:08 56 --sha-r C:\WINDOWS\system32\4C4A5D0790.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"PaperPort PTD"="c:\progra~1\vision~1\paperp~1\pptd40nt.exe" [1999-04-13 04:13]
"PP6100b"="C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe" [1998-12-22 21:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 15:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"winptr"="C:\WINDOWS\winptr.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-01 12:04]
"mmnext06"="C:\Documents and Settings\User\wintst.dll" []
"SBCSTray"="c:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-03 16:56:06]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-09-28 19:06:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= c:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
c:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 c:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\tmp_l0b.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTCLiveUpdate]
"C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
C:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
C:\WINDOWS\System32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ClipSrv"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys
R2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\System32\DRIVERS\SAA713x.sys
R2 mplabice2;mplabice2;C:\WINDOWS\System32\drivers\mplabice2.sys
S3 Cap7134;TV AV Capture, WDM Video Captures;C:\WINDOWS\System32\DRIVERS\Cap7134.sys
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\System32\Drivers\fide.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 07:30:01 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 15:28:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 15:30:58 - machine was rebooted
.
--- E O F ---




-------------------- now the hijackthis logfile:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:47 PM, on 10/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medexamtools.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP6100b] C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mmnext06] C:\Documents and Settings\User\wintst.dll
O4 - HKLM\..\Run: [SBCSTray] c:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_l0b.dll
O20 - Winlogon Notify: !SASWinLogon - c:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Layer Gateway Service ALGTermService (ALGTermService) - Unknown owner - c:\7D.tmp.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - c:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 5268 bytes

Edited by sandorman, 17 October 2007 - 03:02 PM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 03:06 PM

You may have to reset the desktop manually after the next run with ComboFix.

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

Folder::
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\U2FuZG9yIFN3YXJ0eg
C:\WINDOWS\system32\ex1
C:\temp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winptr"=-
"mmnext06"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the program.

Once it has finished,Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")


Post back with the log from ComboFix and a fresh HijackThis log.

Once those are posted,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users