Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud (popup) Infection


  • Please log in to reply
21 replies to this topic

#1 lynkz

lynkz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 16 October 2007 - 01:13 PM

It appears my computer is infected with some sort of Smitfraud (popup) infection according to multiple scans with Spybot. I have followed the steps outlined in the "Start Here" thread, and still appear to have infections. The following is my most recent hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:00 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HiJackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1421] command /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2322] cmd /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1580] command /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4621] cmd /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB987] command /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7313] cmd /c del "C:\WINDOWS\system32\printer.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB564] command /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5994] cmd /c del "C:\WINDOWS\system32\WinAvXX.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: autorun.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\VNC\WinVNC.exe

--
End of file - 4396 bytes

Thanks in advance for your assistance.

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 01:52 PM

Hi lynkz and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 17 October 2007 - 02:19 PM

After running Combofix, the computer is now running better. Before I had no access to the control panel, or the system properties. I now have access to both, and so far no popups have been displayed.

Here are the logs you requested,

ComboFix 07-10-17.8@ - activity 2007-10-17 15:06:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT -4:00]
Running from: C:\Documents and Settings\activity\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\activity\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\vtr.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 15:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 11:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 11:31 <DIR> d-------- C:\Software
2007-10-16 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 14:22 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-12 10:01 <DIR> d-------- C:\WINDOWS\Sun
2007-10-12 10:01 <DIR> d-------- C:\Documents and Settings\activity\.housecall6.6
2007-10-12 09:37 16,384 --a------ C:\WINDOWS\xlavra3.exe
2007-10-12 09:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-12 08:25 7,849 --a------ C:\WINDOWS\system32\sulimo.dat
2007-09-28 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-09-28 12:44 37,376 --a------ C:\WINDOWS\system32\hpz3l420.dll
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-28 12:43 <DIR> d-------- C:\Program Files\HP
2007-09-28 12:43 60,819 --a------ C:\WINDOWS\hpwins03.dat
2007-09-28 12:43 1,238 --------- C:\WINDOWS\hpwmdl03.dat
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-18 14:54 <DIR> d---s---- C:\Documents and Settings\activity\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 16:11 --------- d-----w C:\Program Files\Greetings Workshop
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec Client Security
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec
2007-09-14 13:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-14 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-04-06 13:49 190 ----a-w C:\Program Files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 01:05]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01]
"WinVNC"="C:\Program Files\VNC\WinVNC.exe" [2000-05-23 18:09]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 10:39]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activity\Start Menu\Programs\Startup\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-08-04 04:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 15:10:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 15:11:33 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:12 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HiJackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\VNC\WinVNC.exe

--
End of file - 3446 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 02:30 PM

Definatly looking better allready,lets clear out some other items and move on from there.

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\xlavra3.exe
C:\WINDOWS\system32\sulimo.dat

Once saved,drag CFScript.txt on top of ComboFix.exe and this will execute the program.

Let it run its course and when its finished,Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


After that,post the fresh ComboFix log and a fresh HijackThis log,then Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 17 October 2007 - 03:06 PM

I did as instructed, however, it appears the hijackthis did not delete the sulimo.dat entry. I closed all open windows then selected that line, and click on fix. The log file went away, and a blank white screen was present within hijackthis window. It didn't indicate if it had deleted the file or anything, so I left it sit there for about 5 minutes, then closed hijackthis.

Also when I ran Combofix this last time, part of the way through (right after completing stage 7) the following message appeared:

sed.cfexe has encountered a problem and needs to close. After closing that window, Combofix continued to run.

Also noticed while typing this response, the computer on it's own keeps making this IE window inactive, after every couple of words that I type, and I have to click the mouse back on the page to make it active again. I am now going to run F-Secure Online scanner as directed. I will be able to check this thread on another computer as the scan runs on this one. Here are my most recent logs:

ComboFix 07-10-17.8@ - activity 2007-10-17 15:49:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT -4:00]
Running from: C:\Documents and Settings\activity\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 15:46 7,432 --a------ C:\WINDOWS\xlavra3.exe
2007-10-17 15:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 11:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 11:31 <DIR> d-------- C:\Software
2007-10-16 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 14:22 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-12 10:01 <DIR> d-------- C:\WINDOWS\Sun
2007-10-12 10:01 <DIR> d-------- C:\Documents and Settings\activity\.housecall6.6
2007-10-12 09:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-12 08:25 7,849 --a------ C:\WINDOWS\system32\sulimo.dat
2007-09-28 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-09-28 12:44 37,376 --a------ C:\WINDOWS\system32\hpz3l420.dll
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-28 12:43 <DIR> d-------- C:\Program Files\HP
2007-09-28 12:43 60,819 --a------ C:\WINDOWS\hpwins03.dat
2007-09-28 12:43 1,238 --------- C:\WINDOWS\hpwmdl03.dat
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-18 14:54 <DIR> d---s---- C:\Documents and Settings\activity\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 16:11 --------- d-----w C:\Program Files\Greetings Workshop
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec Client Security
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec
2007-09-14 13:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-14 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-04-06 13:49 190 ----a-w C:\Program Files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 01:05]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01]
"WinVNC"="C:\Program Files\VNC\WinVNC.exe" [2000-05-23 18:09]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 10:39]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activity\Start Menu\Programs\Startup\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-08-04 04:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 15:52:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 15:53:33
C:\ComboFix2.txt ... 2007-10-17 15:37
C:\ComboFix3.txt ... 2007-10-17 15:11
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:48 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\xlavra3.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HiJackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\VNC\WinVNC.exe

--
End of file - 3437 bytes

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 03:13 PM

Scratch the F-Secure scan for now until we get this file moved outa here and fix that reg entry.

Make a new CFScript please,copy the contents below.

File::
C:\WINDOWS\xlavra3.exe
C:\WINDOWS\system32\sulimo.dat
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-

Restart the machine in safe mode and then drag CFScript.txt on top of ComboFix.exe and allow the program to run.

Obviously these 2 wanna be pains,so lets get them out and then move onto the F-Secure scan afterwards.

Post the new ComboFix log and a fresh HijackThis log in the next reply please.

#7 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 17 October 2007 - 03:54 PM

I just realized that I named the file CFScript.txt.txt becuase I wasn't showing all extensions. So that might have been a problem. I have since named the file correctly. I will run combofix and hijackthis again, and post the logs tomorrow. I leaving work for the day. Thanks for all your assistance so far, and I will post the results tomorrow morning.

#8 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 18 October 2007 - 09:12 AM

Well, it looks like the sulimo.dat file, and the appinit_dlls registry entry are being very difficult to get rid of. I deleted the file, and also went into the registry and deleted that entry, but both came right back. I did run combofix and hjt in safe mode. Here are the most recent logs:

ComboFix 07-10-17.8@ - activity 2007-10-18 9:49:25.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.746 [GMT -4:00]
Running from: C:\Documents and Settings\activity\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\activity\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\xlavra3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sulimo.dat

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-17 15:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 11:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 11:31 <DIR> d-------- C:\Software
2007-10-16 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 14:22 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-12 10:01 <DIR> d-------- C:\WINDOWS\Sun
2007-10-12 10:01 <DIR> d-------- C:\Documents and Settings\activity\.housecall6.6
2007-10-12 09:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-12 08:25 7,849 --a------ C:\WINDOWS\system32\sulimo.dat
2007-09-28 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-09-28 12:44 37,376 --a------ C:\WINDOWS\system32\hpz3l420.dll
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-28 12:44 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-28 12:43 <DIR> d-------- C:\Program Files\HP
2007-09-28 12:43 60,819 --a------ C:\WINDOWS\hpwins03.dat
2007-09-28 12:43 1,238 --------- C:\WINDOWS\hpwmdl03.dat
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-28 12:16 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-18 14:54 <DIR> d---s---- C:\Documents and Settings\activity\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 16:11 --------- d-----w C:\Program Files\Greetings Workshop
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec Client Security
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec
2007-09-14 13:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-14 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-04-06 13:49 190 ----a-w C:\Program Files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_15.10.59.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 20:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 20:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 20:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 01:05]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01]
"WinVNC"="C:\Program Files\VNC\WinVNC.exe" [2000-05-23 18:09]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 10:39]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activity\Start Menu\Programs\Startup\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-08-04 04:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 09:52:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 9:54:36
C:\ComboFix2.txt ... 2007-10-17 16:52
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:04 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HiJackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\VNC\WinVNC.exe

--
End of file - 3083 bytes

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 09:53 AM

Yes indeed they are but lets see em survive the next round.

Same routine as before with the new script for ComboFix.

Rootkit::
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\xlavra3.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-


Post the log when completed please.

#10 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  

Posted 18 October 2007 - 10:51 AM

Looks like we finally get rid of them, the following are my recent logs:

ComboFix 07-10-17.8@ - activity 2007-10-18 11:38:30.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.751 [GMT -4:00]
Running from: C:\Documents and Settings\activity\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\activity\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\xlavra3.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-16 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 11:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 11:31 <DIR> d-------- C:\Software
2007-10-16 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-12 10:01 <DIR> d-------- C:\Documents and Settings\activity\.housecall6.6
2007-09-28 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-09-28 12:43 <DIR> d-------- C:\Program Files\HP
2007-09-18 14:54 <DIR> d---s---- C:\Documents and Settings\activity\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 16:11 --------- d-----w C:\Program Files\Greetings Workshop
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec Client Security
2007-09-14 13:56 --------- d-----w C:\Program Files\Symantec
2007-09-14 13:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-14 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-09-14 12:40 --------- d-----w C:\Documents and Settings\activities\Application Data\AdobeUM
2007-04-06 13:49 190 ----a-w C:\Program Files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_15.10.59.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 20:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 20:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 20:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 01:05]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01]
"WinVNC"="C:\Program Files\VNC\WinVNC.exe" [2000-05-23 18:09]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"HPWUTOOLBOX"="C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 10:39]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activities\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04]

C:\Documents and Settings\activity\Start Menu\Programs\Startup\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-08-04 04:00:00]


.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 11:44:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 11:44:40 - machine was rebooted
C:\ComboFix ... 2007-10-18 11:44
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:33 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HiJackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\VNC\WinVNC.exe

--
End of file - 3471 bytes

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 12:12 PM

Can you try the F-Secure scanner now?

#12 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 18 October 2007 - 01:59 PM

Here is the log from the F-Secure Scan. At your convenience, let me know what next steps are neccessary if any, and thanks again for all your assistance, and I look forward to your reply.

Scanning Report
Thursday, October 18, 2007 14:11:04 - 14:32:34
Computer name: ACTIVITIES
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 13 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 17241
System: 3175
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 12
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-18
F-Secure AVP: 7.0.171, 2007-10-18
F-Secure Orion: 1.2.37, 2007-10-18
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 08:27 PM

Everything is looking nice so far,Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.

After posting that,Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here

#14 lynkz

lynkz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 19 October 2007 - 09:08 AM

Here is the uninstall list, I am proceeding to run the bitdefender scan now...

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Google Toolbar for Internet Explorer
Greetings Workshop
HijackThis 2.0.2
HP Help and Support
HP Officejet Pro K550 Series
J2SE Runtime Environment 5.0 Update 3
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office XP Standard
Microsoft Picture It! Publishing Platinum 2002
Pervasive System Analyzer
Pervasive.SQL 9 SP2 Client for Windows (9.5)
Realtek High Definition Audio Driver
Roxio CinePlayer
Spybot - Search & Destroy
Update for Windows XP (KB931836)
WinVNC 3.3.3

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2007 - 09:28 AM

Adobe Flash Player ActiveX<-- Be sure this the current up to date version

Adobe Reader 7.0<-- Think verison 8 is out but if you dont use it just uninstall til you need it.

J2SE Runtime Environment 5.0 Update 3<--- Very outdated and vunerable,please uninstall and go to java site below for latest version.

Version 6 Update 3
http://www.java.com/en/download/index.jsp

Post Bit Defender Results when you get ready. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users