Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worse Trojan I Have Had, TROJAN.SPAMBOT


  • This topic is locked This topic is locked
13 replies to this topic

#1 Bajamafam

Bajamafam

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 05 November 2007 - 07:54 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:50 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll (file missing)
O3 - Toolbar: Slide - {F25D0054-4CA2-49D5-A8B0-D79B7829D14E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\RunOnce: [KB926239] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-4114993347-2750885927-3488252553-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Owner')
O4 - HKUS\S-1-5-21-4114993347-2750885927-3488252553-1003\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Owner')
O4 - HKUS\S-1-5-21-4114993347-2750885927-3488252553-1003\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Owner')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 4307 bytes







Spy-doc results Posted Image

Edited by Bajamafam, 06 November 2007 - 03:49 PM.


BC AdBot (Login to Remove)

 


#2 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 10 November 2007 - 04:48 PM

Ok......this is taking FOREVER

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 11 November 2007 - 09:29 PM

Hello and welcome to BC. :thumbsup:

Sorry for the delay in response. If you haven't received help elsewhere, and still need help, please post a fresh HijackThis log and I'll be happy to help you.

#4 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 17 November 2007 - 05:05 PM

Ty Vm



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02, on 2007-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob.NATALIE\Desktop\pgrms\W3XMapHack12102.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 3542 bytes




I have posted my spydoctor pic, i can remove the trojan, however when i do SV_chost says it cannot run without rpcrt3.dll also known to spyware doctor as Trojan Spambot

Edited by Bajamafam, 17 November 2007 - 05:06 PM.


#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 17 November 2007 - 05:21 PM

Hi,

Please do not attempt to delete anything. You don't appear to have any antivirus applications. We'll have to sort that out as soon as possible but just not yet. Try to keep the computer off the internet as much as possible until it's cleaned. Just use it for downloading the programs needed to clean it. You'll need to disable the real time guards.

Disabling AVG Anti Spyware 7.5:

Open AVG Anti Spyware.
Under 'Status',click on "change status" to make it 'inactive'. Once your log is clean you can re-enable it.

Disabling Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

===================================

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**
  • Close any open browsers. Disconnect from the internet.
  • Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix. Remember to re-enable them when you are done.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by amateur, 17 November 2007 - 05:22 PM.


#6 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 18 November 2007 - 02:58 AM

ok well i have done this before however i didnt post log from combo fix, I did as you said here is log..

ComboFix 07-11-08.3 - Jacob 2007-11-18 2:31:32.1 - NTFSx86
Running from: C:\Documents and Settings\Jacob.NATALIE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rpcrt3.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 17:49 <DIR> d-------- C:\Program Files\Google
2007-11-17 10:56 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-17 10:56 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-17 10:56 38,728 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-17 10:56 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-17 10:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-17 10:55 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\PC Tools
2007-11-13 15:30 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-11-13 15:30 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-11-13 15:30 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-11-13 14:11 <DIR> d-------- C:\cabs
2007-11-13 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-13 11:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 07:46 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-12 07:46 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\BitTorrent DNA
2007-11-12 07:46 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\BitTorrent
2007-11-12 07:44 <DIR> d-------- C:\Program Files\Bittorrent
2007-11-12 07:38 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\FileVOoM
2007-11-12 03:16 <DIR> d-------- C:\Program Files\BitLord
2007-11-12 03:07 <DIR> d-------- C:\Program Files\BearShare Applications
2007-11-12 01:08 <DIR> d-------- C:\WINDOWS\vbSkinner
2007-11-12 01:08 <DIR> d-------- C:\Program Files\PFConfig
2007-11-11 17:25 <DIR> d-------- C:\Program Files\PC Doc Pro
2007-11-10 15:40 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-11-10 15:14 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\fretsonfire
2007-11-10 14:50 <DIR> d-------- C:\Program Files\TryMedia
2007-11-10 01:48 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-11-10 01:47 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-09 23:18 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2007-11-09 19:57 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\WildTangent
2007-11-09 19:36 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-09 19:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-09 19:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-09 19:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-09 19:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-09 16:23 <DIR> d-------- C:\Documents and Settings\Administrator.NATALIE\Application Data\Talkback
2007-11-09 15:59 50,688 --a------ C:\WINDOWS\system32\rpcrt3.dll.vir
2007-11-08 21:30 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 21:27 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2007-11-08 21:27 78,848 --a--c--- C:\WINDOWS\system32\dllcache\msiexec.exe
2007-11-08 17:43 139,264 --a------ C:\WINDOWS\War3Unin.exe
2007-11-08 17:43 81,413 --a------ C:\WINDOWS\War3Unin.dat
2007-11-08 17:43 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-06 16:42 12,413 --a------ C:\WINDOWS\system32\NETBIOS.DLL
2007-11-03 21:59 0 --a------ C:\SDFix.exe
2007-11-03 16:53 <DIR> d-------- C:\Sysclean
2007-11-03 13:36 1,073,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 07:23 1,033,216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-11-03 07:23 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-03 07:23 364,160 -----c--- C:\WINDOWS\system32\dllcache\update.sys
2007-11-03 07:22 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-11-03 07:22 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-03 07:22 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2007-11-03 06:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 04:59 <DIR> d-------- C:\Documents and Settings\JACOB~1~NAT\LOCALS~1
2007-11-03 04:57 <DIR> d-------- C:\Program Files\hkSFV
2007-11-03 04:30 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-03 04:30 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Simply Super Software
2007-11-03 04:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-03 04:30 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-03 04:30 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-03 04:30 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-03 04:30 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-03 04:30 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-03 02:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-02 22:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-02 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-02 22:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-02 21:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-02 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-11-02 18:57 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Regrun
2007-11-02 18:57 <DIR> d-------- C:\backreg
2007-11-02 18:56 <DIR> d-------- C:\Program Files\Greatis
2007-11-02 18:49 <DIR> d-------- C:\RootkitNO
2007-11-02 18:43 C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2007-11-02 15:51 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-11-02 15:50 <DIR> d-------- C:\NVIDIA
2007-11-02 15:50 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-28 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-28 13:17 364,544 --a------ C:\WINDOWS\system32\npdsplay.dll
2007-10-28 13:16 364,544 --a------ C:\WINDOWS\npdsplay.dll
2007-10-28 07:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 22:42 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-27 22:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-27 21:36 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-10-27 20:48 <DIR> d-------- C:\Program Files\RivaTuner v2.05
2007-10-27 20:39 <DIR> d-------- C:\WINDOWS\nview
2007-10-27 20:33 6,853,088 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-27 20:33 6,853,088 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-10-27 20:33 5,783,040 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-10-27 20:33 5,783,040 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-10-27 02:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-26 22:01 <DIR> d-------- C:\Program Files\FrostWire
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Shared
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Incomplete
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\FrostWire
2007-10-26 17:40 <DIR> d-------- C:\KAV
2007-10-26 17:02 <DIR> d-------- C:\Program Files\Frets on Fire
2007-10-26 15:44 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Uniblue
2007-10-25 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 17:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-13 17:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-09 02:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 13:56 7,364 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-03 12:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 03:48 --------- d-----w C:\Program Files\Common Files\Real
2007-10-22 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-20 20:39 --------- d-----w C:\Program Files\Azureus
2007-10-19 16:16 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-19 16:13 --------- d-----w C:\Program Files\IncrediMail
2007-10-08 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-07 03:02 --------- d-----w C:\Program Files\Ocean Technology
2007-10-04 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-04 22:04 --------- d-----w C:\Program Files\PCPitstop
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-13 11:35]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.05\RivaTuner.exe" [2007-09-27 12:20]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2007-10-28 07:39 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jacob.NATALIE^Start Menu^Programs^Startup^Azureus Turbo Accelerator.lnk]
path=C:\Documents and Settings\Jacob.NATALIE\Start Menu\Programs\Startup\Azureus Turbo Accelerator.lnk
backup=C:\WINDOWS\pss\Azureus Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Slide.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
"C:\Program Files\RivaTuner v2.05\RivaTuner.exe" /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"gusvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MskService"=2 (0x2)
"MSIServer"=3 (0x3)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"brmfrmps"=2 (0x2)

R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.05\RivaTuner32.sys
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b76291d8-8ed0-11db-8467-806d6172696f}]
\Shell\AutoRun\command - E:\autoplay.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 02:39:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 2:40:34 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 16:54
C:\ComboFix3.txt ... 2007-11-09 15:44
.
--- E O F ---





Now after this reboot happend, I couldnt access internet, nor even drag icons, see the explorer.exe toolbar(however prossess was running) in my processes in task manager there where no svchosts to be found..I coudnt access services or anything from that standpoint, so i put the rpcrt3.dll file back, Rebooted and low and behold the sound was back, along with internet and all, however now the trojan is active again....Sv_chost Will not run without the TROJAN DLL FILE.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 18 November 2007 - 12:16 PM

Can you please post these too.

C:\ComboFix2.txt ... 2007-11-09 16:54
C:\ComboFix3.txt ... 2007-11-09 15:44

#8 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 18 November 2007 - 05:19 PM

ComboFix 07-11-08.3 - Jacob 2007-11-09 16:50:41.3 - NTFSx86
Running from: C:\Documents and Settings\Jacob.NATALIE\Desktop\ComboFix.exe
.
ADS - svchost.exe: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 16:23 <DIR> d-------- C:\Documents and Settings\Administrator.NATALIE\Application Data\Talkback
2007-11-09 15:59 50,688 --a------ C:\WINDOWS\system32\rpcrt3.dll.vir
2007-11-08 21:30 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 21:27 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2007-11-08 21:27 78,848 --a--c--- C:\WINDOWS\system32\dllcache\msiexec.exe
2007-11-08 17:43 126,976 --a------ C:\WINDOWS\War3Unin.exe
2007-11-08 17:43 17,623 --a------ C:\WINDOWS\War3Unin.dat
2007-11-08 17:43 2,829 --a------ C:\WINDOWS\War3Unin.pif
2007-11-06 16:42 12,413 --a------ C:\WINDOWS\system32\NETBIOS.DLL
2007-11-03 21:59 0 --a------ C:\SDFix.exe
2007-11-03 16:53 <DIR> d-------- C:\Sysclean
2007-11-03 13:36 1,073,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 13:31 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-03 13:30 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-11-03 07:23 1,033,216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-11-03 07:23 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-03 07:23 364,160 -----c--- C:\WINDOWS\system32\dllcache\update.sys
2007-11-03 07:22 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-11-03 07:22 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-03 07:22 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2007-11-03 06:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 04:59 <DIR> d-------- C:\Documents and Settings\JACOB~1~NAT\LOCALS~1
2007-11-03 04:57 <DIR> d-------- C:\Program Files\hkSFV
2007-11-03 04:30 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-03 04:30 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Simply Super Software
2007-11-03 04:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-03 04:30 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-03 04:30 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-03 04:30 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-03 04:30 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-03 04:30 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-03 02:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-02 22:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-02 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-02 22:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-02 21:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-02 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2007-11-02 18:57 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Regrun
2007-11-02 18:57 <DIR> d-------- C:\backreg
2007-11-02 18:56 <DIR> d-------- C:\Program Files\Greatis
2007-11-02 18:49 <DIR> d-------- C:\RootkitNO
2007-11-02 18:43 C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2007-11-02 16:59 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-02 15:51 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-11-02 15:50 <DIR> d-------- C:\NVIDIA
2007-11-02 15:50 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-28 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-28 13:17 364,544 --a------ C:\WINDOWS\system32\npdsplay.dll
2007-10-28 13:16 364,544 --a------ C:\WINDOWS\npdsplay.dll
2007-10-28 07:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-28 03:24 <DIR> d-------- C:\Program Files\RegCure
2007-10-27 22:42 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-27 22:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-27 21:36 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-10-27 20:48 <DIR> d-------- C:\Program Files\RivaTuner v2.05
2007-10-27 20:39 <DIR> d-------- C:\WINDOWS\nview
2007-10-27 20:33 6,853,088 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-27 20:33 6,853,088 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-10-27 20:33 5,783,040 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-10-27 20:33 5,783,040 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-10-27 02:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-26 22:01 <DIR> d-------- C:\Program Files\FrostWire
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Shared
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Incomplete
2007-10-26 22:01 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\FrostWire
2007-10-26 17:40 <DIR> d-------- C:\KAV
2007-10-26 17:03 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\fretsonfire
2007-10-26 17:02 <DIR> d-------- C:\Program Files\Frets on Fire
2007-10-26 15:44 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Uniblue
2007-10-25 21:58 <DIR> d-------- C:\Program Files\Avira
2007-10-25 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-25 21:02 82 --a------ C:\BellSouthIW.reg
2007-10-25 19:43 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-10-25 17:35 1,382 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-25 17:31 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-25 17:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-25 17:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-25 17:31 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-25 17:31 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-24 18:28 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-24 18:28 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-24 18:28 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-24 18:28 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-24 18:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-24 18:27 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\PC Tools
2007-10-24 17:58 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Talkback
2007-10-24 17:57 <DIR> dr-h----- C:\Documents and Settings\Jacob.NATALIE\Application Data\yahoo!
2007-10-22 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-22 12:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-22 10:15 <DIR> d-------- C:\Program Files\LimeWire
2007-10-21 15:44 <DIR> d-------- C:\Program Files\Trillian
2007-10-20 21:25 <DIR> d-------- C:\Program Files\Security Task Manager
2007-10-20 17:40 <DIR> d-------- C:\Documents and Settings\Administrator.NATALIE\WINDOWS
2007-10-20 17:40 <DIR> d-------- C:\Documents and Settings\Administrator.NATALIE\Application Data\You've Got Pictures Screensaver
2007-10-20 17:40 <DIR> d-------- C:\Documents and Settings\Administrator.NATALIE\Application Data\SampleView
2007-10-20 16:46 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-20 16:27 <DIR> d-------- C:\Program Files\Warcraft III
2007-10-20 15:40 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\Azureus
2007-10-20 15:32 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\WINDOWS
2007-10-20 15:32 <DIR> d-------- C:\Documents and Settings\Jacob.NATALIE\Application Data\You've Got Pictures Screensaver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 21:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 02:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 13:56 7,364 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-03 12:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-03 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-26 03:48 --------- d-----w C:\Program Files\Common Files\Real
2007-10-22 17:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-22 07:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 07:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-20 20:39 --------- d-----w C:\Program Files\Azureus
2007-10-19 16:16 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-12 19:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 19:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-08 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-07 03:02 --------- d-----w C:\Program Files\Ocean Technology
2007-10-04 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-04 22:04 --------- d-----w C:\Program Files\PCPitstop
2007-10-02 13:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-20 15:10 712,704 ----a-w C:\WINDOWS\system32\opph.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-02 22:53 28,672 ----a-w C:\WINDOWS\system32\f3PSSavr.scr.ren
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-09-27 12:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2007-10-28 07:39 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Slide.exe.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MSIServer"=3 (0x3)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"brmfrmps"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"NVSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b76291d7-8ed0-11db-8467-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b76291d8-8ed0-11db-8467-806d6172696f}]
\Shell\AutoRun\command


.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 22:00:05 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-28 08:26:20 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 16:53:14
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 16:54:14
C:\ComboFix2.txt ... 2007-11-09 15:44
.
--- E O F ---

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 18 November 2007 - 05:41 PM

Go to Start > All Programs > Accessories> and click on cmd
A DOS window will open. Please copy and paste the following command and press Enter:

dir /s /a "c:\svchost*.*" > c:\find.txt & start notepad c:\find.txt

A text file will be opened. Please post the contents of that text file.

Edited by amateur, 18 November 2007 - 06:06 PM.


#10 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 19 November 2007 - 04:32 PM

Volume in drive C has no label.
Volume Serial Number is 2492-8096

Directory of c:\Documents and Settings\Jacob.NATALIE\Desktop\pgrms

11/09/2007 11:18 PM 7,406 svchost.rar
11/04/2007 12:48 AM 7,689 svchost.zip
2 File(s) 15,095 bytes

Directory of c:\Documents and Settings\Jacob.NATALIE\Recent

11/09/2007 11:18 PM 584 svchost (2).lnk
11/04/2007 12:50 AM 584 svchost.lnk
2 File(s) 1,168 bytes

Directory of c:\WINDOWS\I386

08/04/2004 02:00 PM 7,278 SVCHOST.EX_
1 File(s) 7,278 bytes

Directory of c:\WINDOWS\Prefetch

11/18/2007 06:18 AM 30,562 SVCHOST.EXE-3530F672.pf
1 File(s) 30,562 bytes

Directory of c:\WINDOWS\system32

11/09/2007 07:38 PM 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of c:\WINDOWS\system32\dllcache

08/04/2004 02:00 PM 14,336 svchost.exe
1 File(s) 14,336 bytes

Total Files Listed:
8 File(s) 82,775 bytes
0 Dir(s) 104,270,651,392 bytes free

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 19 November 2007 - 07:36 PM

Hi,

Sv_chost Will not run without the TROJAN DLL FILE.

This is not the normal spelling of the Svchost.exe. Is it a typo?

====================================

I see two zipped files of svchost in a folder named "pgrms" on your desktop. What can you tell me about them?

11/09/2007 11:18 PM 7,406 svchost.rar
11/04/2007 12:48 AM 7,689 svchost.zip

====================================

Download SDFix and save it to your Desktop.

====================================

Download and install Sophos Anti-Virus Trial version

You'll need to disable your McAfee for the time being so that the two antivirus applications will not conflict.

============================================

Click Here and download Killbox and save it to your desktop but don't run it yet.

============================================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

============================================

You might like to print these instructions so that you'll have acces to them while you're in safe mode.

============================================

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

==========================================

Go to Start > All Programs > Accessories> and click on cmd

A DOS window will open. Please copy and paste the following command and press Enter:

expand c:\WINDOWS\system32\dllcache\svchost.exe c:\WINDOWS\system32\svchost.exe

==========================================

Open Killbox--> Copy&Paste the bold text below into the the Full Path of File to Delete

C:\WINDOWS\system32\rpcrt3.dll

Place a check next to these boxes:

Standard File Kill
End Explorer Shell while Killing File
Unregister .dll before Deleting

Click the Red Circle with the White X in the Middle to Delete the file. When prompted reboot into Safe Mode again.

===========================================
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
====================================

Now reboot in Normal Mode and run a full scan with Sophos Antivirus and post its report please. It may take quite a while for the scan to complete, please be patient.

====================================

Please post back the Report.txt, Sophos report and a fresh HijackThis log.

#12 Bajamafam

Bajamafam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 20 November 2007 - 04:28 PM

This 2 Ziped files are use there because when i had removed the trojan the infected sv_chost's where relocated 2 a quarentend area, and i cannot copy and paste nor drag and drop unless the trojan file is in sys32 folder so i had to archive and extract sv_chost back to sys32, and insted of deleting it i moved it to the desktop folder just in case a program dossnt quarentine and just deletes.After these experences I back things up a lot...After I Remove that rpcrt3.dll file i may not be able to use the internet so this could be the last time i post for a while....

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 06 December 2007 - 10:23 AM

Hi,

Haven't heard from you for a long time. Are you still with us?

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:49 AM

Posted 12 December 2007 - 11:38 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users