Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please Vundo Jkhhf.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 Naruto_Kun

Naruto_Kun

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 07 January 2008 - 02:06 AM

Hi i think my computer is infected my antispyware keeps pulling up the file jkhhf.exe and jkhhf.dll and i don't know how to get rid of it. Any help is appreciated. Thanks

Here is my hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:53 PM, on 1/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM\aim .exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Documents and Settings\Mike\Desktop\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\jkhhf.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196927852979
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197437018812
O17 - HKLM\System\CCS\Services\Tcpip\..\{39CE64A7-2707-445E-9F3F-3272174FFEA7}: NameServer = 68.105.28.11,68.105.29.11
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3806 bytes

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 09 January 2008 - 03:06 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 Naruto_Kun

Naruto_Kun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 09 January 2008 - 05:30 PM

Okay do u need me to run another hijack log or any scans?

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 10 January 2008 - 09:31 AM

Hi :thumbsup:.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Naruto_Kun

Naruto_Kun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 11 January 2008 - 01:36 AM

Hey here is the combo fix log and also the hijack log.

ComboFix 08-01-10.2 - Mike 2008-01-10 22:30:41.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.723 [GMT -8:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ajcqsiho.ini
C:\WINDOWS\system32\bybeejkn.ini
C:\WINDOWS\system32\evuhrawh.ini
C:\WINDOWS\system32\kifavttw.ini
C:\WINDOWS\system32\ohydojrb.ini
C:\WINDOWS\system32\pjmwhect.ini
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\rjmsygqr.ini
C:\WINDOWS\system32\rpbrqagk.ini
C:\WINDOWS\system32\rpfuchjw.ini
C:\WINDOWS\system32\sbhgemqa.ini
C:\WINDOWS\system32\sjnvssif.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-10 22:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 03:29 . 2008-01-08 03:29 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 23:36 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 23:35 . 2008-01-05 23:36 <DIR> d-------- C:\Program Files\Java
2008-01-05 23:35 . 2008-01-05 23:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-05 23:21 . 2008-01-05 23:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-27 00:57 . 2007-12-28 14:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-27 00:47 . 2007-12-27 00:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-26 23:49 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 23:24 . 2007-12-26 23:24 <DIR> d-------- C:\WINDOWS\LogFiles
2007-12-24 07:39 . 2007-12-26 23:25 90,112 --a------ C:\WINDOWS\Updreg .exe
2007-12-12 12:46 . 2007-04-03 13:59 23,176 -ra------ C:\WINDOWS\system32\drivers\s616nd5.sys
2007-12-12 12:28 . 2007-04-03 13:59 100,360 -ra------ C:\WINDOWS\system32\drivers\s616mgmt.sys
2007-12-12 12:28 . 2007-04-03 13:59 99,080 -ra------ C:\WINDOWS\system32\drivers\s616unic.sys
2007-12-12 12:28 . 2007-04-03 13:59 98,568 -ra------ C:\WINDOWS\system32\drivers\s616obex.sys
2007-12-12 12:28 . 2007-04-03 13:59 11,016 -ra------ C:\WINDOWS\system32\drivers\s616cr.sys
2007-12-12 11:13 . 2007-04-03 13:59 108,680 -ra------ C:\WINDOWS\system32\drivers\s616mdm.sys
2007-12-12 11:13 . 2007-04-03 13:59 15,112 -ra------ C:\WINDOWS\system32\drivers\s616mdfl.sys
2007-12-12 11:13 . 2007-04-03 13:59 12,424 -ra------ C:\WINDOWS\system32\drivers\s616cmnt.sys
2007-12-12 11:13 . 2007-04-03 13:59 12,424 -ra------ C:\WINDOWS\system32\drivers\s616cm.sys
2007-12-11 23:32 . 2007-12-11 23:32 <DIR> d-------- C:\Program Files\Sony
2007-12-11 23:23 . 2007-12-11 23:23 <DIR> d-------- C:\Program Files\Sony Setup
2007-12-11 23:23 . 2007-12-11 23:23 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sony Setup
2007-12-11 23:22 . 2007-04-03 13:59 83,208 -ra------ C:\WINDOWS\system32\drivers\s616bus.sys
2007-12-11 23:22 . 2007-04-03 13:59 12,424 -ra------ C:\WINDOWS\system32\drivers\s616whnt.sys
2007-12-11 23:22 . 2007-04-03 13:59 12,424 -ra------ C:\WINDOWS\system32\drivers\s616wh.sys
2007-12-11 23:19 . 2007-12-11 23:19 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-11 23:18 . 2007-12-11 23:19 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-11 23:18 . 2007-12-11 23:18 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-11 23:18 . 2007-12-11 23:18 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Sony Ericsson
2007-12-11 23:16 . 2007-12-11 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-11 23:16 . 2007-12-11 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-11 21:25 . 2005-10-20 14:33 991,232 --a------ C:\WINDOWS\system32\esent.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 06:10 --------- d-----w C:\Program Files\Warcraft III
2008-01-07 07:32 --------- d-----w C:\Program Files\AIM
2008-01-06 08:29 --------- d-----w C:\Program Files\AOD
2008-01-06 08:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-06 08:20 --------- d-----w C:\Program Files\Steam
2008-01-06 07:57 --------- d-----w C:\Program Files\PestPatrol
2007-12-27 08:55 --------- d-----w C:\Program Files\RogueRemover FREE
2007-12-27 08:14 145,408 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\Mike\Application Data\Yahoo!
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-12 07:18 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-05 04:47 --------- d-----w C:\Program Files\PokerStars
2007-12-01 02:45 --------- d-----w C:\Documents and Settings\Mike\Application Data\Roxio
2007-11-24 02:43 --------- d-----w C:\Program Files\Yahoo!
2007-11-22 04:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-22 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-14 20:38 --------- d-----w C:\Program Files\Ventrilo
2007-11-14 20:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 23:22 --------- d-----w C:\Program Files\LimeWire
2007-11-09 10:43 112 ----a-w C:\PPCleanDeleteAtReboot.bat
.
<pre>
----a-w		   144,896 2008-01-06 08:58:42  C:\Documents and Settings\Mike\Desktop\msconfig\msconfig  .exe
----a-w		   144,896 2008-01-08 11:45:30  C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe
----a-w			67,112 2008-01-06 07:47:45  C:\Program Files\AIM\aim .exe
----a-w		 2,321,600 2008-01-05 23:18:02  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w			65,536 2007-12-27 07:25:16  C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w		   102,400 2008-01-06 07:47:31  C:\Program Files\Creative\SBLive\Program\AHQInit .exe
----a-w			21,504 2008-01-06 07:47:31  C:\Program Files\Creative\SBLive\Program\CTAvTray .EXE
----a-w		   191,488 2008-01-06 07:47:31  C:\Program Files\Creative\ShareDLL\CtNotify .exe
----a-w		   847,872 2007-12-31 12:34:20  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w		   406,016 2008-01-08 11:39:52  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w		   132,496 2008-01-06 07:47:41  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 1,670,144 2007-12-24 15:40:26  C:\Program Files\Messenger\msmsgs .exe
------w			69,632 2008-01-06 07:47:32  C:\Program Files\PestPatrol\CookiePatrol .exe
------w			53,248 2008-01-06 07:47:32  C:\Program Files\PestPatrol\PPControl .exe
------w		   148,480 2008-01-06 07:47:32  C:\Program Files\PestPatrol\PPMemCheck .exe
----a-w		   319,488 2007-12-27 07:25:22  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2007-12-27 07:25:24  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w		   528,384 2007-12-24 15:40:07  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w		 1,266,936 2008-01-06 06:27:06  C:\Program Files\Steam\steam .exe
----a-w		 1,318,912 2008-01-05 07:02:20  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		 2,560,000 2007-12-24 15:40:18  C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
----a-w			90,112 2007-12-27 07:25:16  C:\WINDOWS\Updreg .exe
----a-w		   145,408 2007-12-27 08:14:08  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [ ]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [ ]
"CTAvTray"="C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-10-04 17:14 8491008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
--a------ 2003-07-08 02:00 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\jkhhf.exe

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 13:10]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-10 22:34:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 06:33:51
ComboFix2.txt 2008-01-06 08:36:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:03 PM, on 1/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196927852979
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197437018812
O17 - HKLM\System\CCS\Services\Tcpip\..\{39CE64A7-2707-445E-9F3F-3272174FFEA7}: NameServer = 68.105.28.11,68.105.29.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3669 bytes

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 12 January 2008 - 08:11 AM

Hi :thumbsup:.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\jkhhf.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
RenV::
----a-w 144,896 2008-01-06 08:58:42 C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe
----a-w 144,896 2008-01-08 11:45:30 C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe
----a-w 67,112 2008-01-06 07:47:45 C:\Program Files\AIM\aim .exe
----a-w 2,321,600 2008-01-05 23:18:02 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w 65,536 2007-12-27 07:25:16 C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w 102,400 2008-01-06 07:47:31 C:\Program Files\Creative\SBLive\Program\AHQInit .exe
----a-w 21,504 2008-01-06 07:47:31 C:\Program Files\Creative\SBLive\Program\CTAvTray .EXE
----a-w 191,488 2008-01-06 07:47:31 C:\Program Files\Creative\ShareDLL\CtNotify .exe
----a-w 847,872 2007-12-31 12:34:20 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w 406,016 2008-01-08 11:39:52 C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w 132,496 2008-01-06 07:47:41 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,670,144 2007-12-24 15:40:26 C:\Program Files\Messenger\msmsgs .exe
------w 69,632 2008-01-06 07:47:32 C:\Program Files\PestPatrol\CookiePatrol .exe
------w 53,248 2008-01-06 07:47:32 C:\Program Files\PestPatrol\PPControl .exe
------w 148,480 2008-01-06 07:47:32 C:\Program Files\PestPatrol\PPMemCheck .exe
----a-w 319,488 2007-12-27 07:25:22 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w 868,352 2007-12-27 07:25:24 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w 528,384 2007-12-24 15:40:07 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w 1,266,936 2008-01-06 06:27:06 C:\Program Files\Steam\steam .exe
----a-w 1,318,912 2008-01-05 07:02:20 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 2,560,000 2007-12-24 15:40:18 C:\Program Files\Veoh Networks\Veoh\VeohClient .exe
----a-w 90,112 2007-12-27 07:25:16 C:\WINDOWS\Updreg .exe
----a-w 145,408 2007-12-27 08:14:08 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Naruto_Kun

Naruto_Kun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 12 January 2008 - 08:33 PM

Hi after your instructions here is the new combo log and hijack log

ComboFix 08-01-10.2 - Mike 2008-01-12 17:24:46.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.440 [GMT -8:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\System32\jkhhf.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-10 22:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 03:29 . 2008-01-08 03:29 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 23:36 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 23:35 . 2008-01-05 23:36 <DIR> d-------- C:\Program Files\Java
2008-01-05 23:35 . 2008-01-05 23:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-05 23:21 . 2008-01-05 23:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-27 00:57 . 2007-12-28 14:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-27 00:47 . 2007-12-27 00:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-26 23:49 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 23:24 . 2007-12-26 23:24 <DIR> d-------- C:\WINDOWS\LogFiles
2007-12-25 18:17 . 2007-12-27 00:14 145,408 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-24 07:39 . 2007-12-26 23:25 90,112 --a------ C:\WINDOWS\Updreg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 01:24 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-13 01:24 --------- d-----w C:\Program Files\Steam
2008-01-13 01:24 --------- d-----w C:\Program Files\PestPatrol
2008-01-13 01:24 --------- d-----w C:\Program Files\AIM
2008-01-13 01:00 --------- d-----w C:\Program Files\Warcraft III
2008-01-12 05:03 --------- d-----w C:\Documents and Settings\Mike\Application Data\Roxio
2008-01-06 08:29 --------- d-----w C:\Program Files\AOD
2007-12-27 08:55 --------- d-----w C:\Program Files\RogueRemover FREE
2007-12-27 08:14 145,408 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\Mike\Application Data\Yahoo!
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-12 07:32 --------- d-----w C:\Program Files\Sony
2007-12-12 07:23 --------- d-----w C:\Program Files\Sony Setup
2007-12-12 07:23 --------- d-----w C:\Documents and Settings\Mike\Application Data\Sony Setup
2007-12-12 07:19 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-12-12 07:18 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-12 07:18 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\Mike\Application Data\Sony Ericsson
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-05 04:47 --------- d-----w C:\Program Files\PokerStars
2007-11-24 02:43 --------- d-----w C:\Program Files\Yahoo!
2007-11-22 04:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-22 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-14 20:38 --------- d-----w C:\Program Files\Ventrilo
2007-11-14 20:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 10:43 112 ----a-w C:\PPCleanDeleteAtReboot.bat
.
<pre>
----a-w		   144,896 2008-01-06 08:58:42  C:\Documents and Settings\Mike\Desktop\msconfig\msconfig  .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-10_22.33.45.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 06:30:37 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 01:24:41 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 06:30:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 01:24:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 06:30:37 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 01:24:41 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 06:30:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 01:24:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 06:30:37 3,366,912 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 01:24:41 3,366,912 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 06:30:37 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 01:24:41 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 06:32:26 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-11 22:13:14 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-11 06:32:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-11 22:13:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-11 06:32:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-11 22:13:14 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2008-01-05 23:47 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2008-01-05 23:47 191488]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2008-01-05 23:47 102400]
"CTAvTray"="C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" [2008-01-05 23:47 21504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-05 23:47 132496]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-10-04 17:14 8491008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-01-05 15:18 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
--a------ 2003-07-08 02:00 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 13:10]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-12 17:26:36
ComboFix-quarantined-files.txt 2008-01-13 01:25:46
ComboFix2.txt 2008-01-11 06:34:41
ComboFix3.txt 2008-01-06 08:36:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:51 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim .exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\Programs\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe (file missing)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196927852979
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197437018812
O17 - HKLM\System\CCS\Services\Tcpip\..\{39CE64A7-2707-445E-9F3F-3272174FFEA7}: NameServer = 68.105.28.11,68.105.29.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3697 bytes

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 13 January 2008 - 07:48 AM

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Renv::
C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

After the reboot please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 Naruto_Kun

Naruto_Kun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 14 January 2008 - 05:46 PM

hi just did the combo fix along with running the kaspersky scan here are the reports. Also for the kaspersky report its too big and won't paste. It freezes my internet browswer everytime i try to paste it and i also tried to upload it as a file and it wont upload either

ComboFix 08-01-10.2 - Mike 2008-01-14 3:18:49.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.726 [GMT -8:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-10 22:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 03:29 . 2008-01-08 03:29 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-08 03:28 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 23:36 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 23:35 . 2008-01-05 23:36 <DIR> d-------- C:\Program Files\Java
2008-01-05 23:35 . 2008-01-05 23:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-05 23:21 . 2008-01-05 23:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-27 00:57 . 2007-12-28 14:12 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-27 00:47 . 2007-12-27 00:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-26 23:49 . 2008-01-08 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 23:24 . 2007-12-26 23:24 <DIR> d-------- C:\WINDOWS\LogFiles
2007-12-25 18:17 . 2007-12-27 00:14 145,408 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-24 07:39 . 2007-12-26 23:25 90,112 --a------ C:\WINDOWS\Updreg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 11:17 --------- d-----w C:\Program Files\Warcraft III
2008-01-13 01:24 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-13 01:24 --------- d-----w C:\Program Files\Steam
2008-01-13 01:24 --------- d-----w C:\Program Files\PestPatrol
2008-01-13 01:24 --------- d-----w C:\Program Files\AIM
2008-01-12 05:03 --------- d-----w C:\Documents and Settings\Mike\Application Data\Roxio
2008-01-06 08:29 --------- d-----w C:\Program Files\AOD
2007-12-27 08:55 --------- d-----w C:\Program Files\RogueRemover FREE
2007-12-27 08:14 145,408 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\Mike\Application Data\Yahoo!
2007-12-19 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-12 07:32 --------- d-----w C:\Program Files\Sony
2007-12-12 07:23 --------- d-----w C:\Program Files\Sony Setup
2007-12-12 07:23 --------- d-----w C:\Documents and Settings\Mike\Application Data\Sony Setup
2007-12-12 07:19 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-12-12 07:18 --------- d-----w C:\Program Files\Sony Ericsson
2007-12-12 07:18 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\Mike\Application Data\Sony Ericsson
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-12-12 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-05 04:47 --------- d-----w C:\Program Files\PokerStars
2007-11-24 02:43 --------- d-----w C:\Program Files\Yahoo!
2007-11-22 04:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-22 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-14 20:38 --------- d-----w C:\Program Files\Ventrilo
2007-11-14 20:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 10:43 112 ----a-w C:\PPCleanDeleteAtReboot.bat
.
<pre>
----a-w		   144,896 2008-01-06 08:58:42  C:\Documents and Settings\Mike\Desktop\msconfig\msconfig  .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-10_22.33.45.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 06:30:37 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 11:18:42 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 06:30:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 11:18:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 06:30:37 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 11:18:42 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 06:30:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 11:18:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 06:30:37 3,366,912 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-14 11:18:42 3,366,912 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 06:30:37 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 11:18:42 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 06:32:26 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-14 04:26:00 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-11 06:32:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-14 04:26:00 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-11 06:32:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-14 04:26:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2008-01-05 23:47 67112]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-24 07:40 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2008-01-05 23:47 191488]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2008-01-05 23:47 102400]
"CTAvTray"="C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" [2008-01-05 23:47 21504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-05 23:47 132496]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-10-04 17:14 8491008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CTAVTray"="C:\Program Files\Creative\SBLive\Program\CTAvStub.exe" [2000-08-08 00:00 14848]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-01-05 15:18 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
--a------ 2003-07-08 02:00 99840 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe

R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 13:10]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?` ????B???@???@?? C???????@?????????@?B???A???????A?? ????B???@?????P?????@?P ?????????w??????????@???????????????????B?????? ????????????????????????????B
CTAvTray = C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE??sD???#??w????D???e??w????7??w??????_???_?????????????????????????????????????????????X????????V?wI??s???s@????????L2????sx??sD???????B-?s????H??????s?????L2??L2?????H????9?s?82? @@????? @@??L2??8?s??
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
CTAVTray = C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI??w????D???e??w????7??w??????_???_?????????????????????????????????????????????X????????V?wI??s???s@????????L2????sx??sD???????B-?s????H??????s?????L2??L2?????H????9?s?82? @@????? @@??L2??8?s??

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2008-01-14 3:21:12
ComboFix-quarantined-files.txt 2008-01-14 11:20:22
ComboFix2.txt 2008-01-13 01:26:37
ComboFix3.txt 2008-01-11 06:34:41
ComboFix4.txt 2008-01-06 08:36:15

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 17 January 2008 - 07:04 AM

I have some questions:
  • Seeing this file path:

    C:\Documents and Settings\Mike\Desktop\msconfig\msconfig .exe

    it is not the default path for msconfig.exe. I would like to know have you downloaded this msconfig.exe which is located in the above filepath?
  • Do you use a disk encryption software?
Try to zip the Kaspersky scan report and try attaching again.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users