Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 scw

scw

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 09 January 2008 - 01:08 PM

My computer at work has been running very slowly, virtual memory being clogged and sometimes closing down out of Explorer. I did a scan and discovered that I have the Trojan.Vundo virus on my computer. None of my efforts thus far have been successful in removing it. I need to remove this from my computer so I can get back to doing my work! Thanks so much!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:07 PM, on 1/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\S3apphk.exe
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CC16A0B5-4DBD-475C-A466-2F40794FC1BA} - C:\WINNT\system32\iifcd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/094d49cb2a12e0871017/netzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192202300562
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINNT\SYSTEM32\VundoFixSVC.exe

--
End of file - 6221 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 10 January 2008 - 09:53 AM

Hi,

Your version of Norton is really outdated!!!! Ever considered another Antivirus?

Anyway, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
For more detailed instructions how to use Combofix, see here.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 10 January 2008 - 05:41 PM

Hello,

After I ran Combofix I was no longer able to restore my network connections or access the internet. Do you know why this happened & how I can fix it? Here are the two log files. Thanks for you continued assistance.

ComboFix 08-01-10.2 - Administrator 2008-01-10 17:25:28.3 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\dcfii.ini
C:\WINNT\system32\dcfii.ini2
.
---- Previous Run -------
.
C:\WINNT\system32\dcfii.ini
C:\WINNT\system32\dcfii.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 17:32 . 08-01-10 17:32 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_304.dat
2008-01-10 17:32 . 08-01-10 17:32 0 --a----t- C:\WINNT\system32\Perflib_Perfdata_27c.dat
2008-01-10 16:03 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-09 12:53 . 08-01-09 12:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 14:13 . 08-01-08 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-08 13:38 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-01-08 13:35 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\vjqnsvmivgwq.sys
2008-01-08 13:29 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\RkPavProc.sys
2008-01-08 13:08 . 08-01-08 13:35 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2008-01-08 13:08 . 08-01-08 13:08 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-01-08 13:08 . 08-01-08 13:08 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-01-08 13:08 . 08-01-08 13:08 1,406 --a------ C:\WINNT\system32\Help.ico
2008-01-08 11:19 . 08-01-08 12:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 17:04 . 08-01-07 17:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-07 17:04 . 08-01-07 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-07 17:03 . 08-01-07 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 17:23 . 08-01-10 16:24 464,570 ---h----- C:\WINNT\ShellIconCache
2008-01-03 17:16 . 08-01-03 17:16 <DIR> d-a------ C:\WINNT\system32\Windows Media
2008-01-03 17:13 . 08-01-03 17:13 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-01-03 17:13 . 08-01-03 17:14 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-01-03 17:05 . 08-01-03 17:05 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-01-03 16:55 . 08-01-03 16:55 <DIR> d-------- C:\WINNT\mui
2008-01-03 16:55 . 08-01-03 16:56 957 --a------ C:\WINNT\setup.inf
2008-01-03 16:55 . 08-01-03 16:56 283 --a------ C:\WINNT\setup.rpt
2008-01-02 19:25 . 08-01-02 19:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-12-28 12:57 . 08-01-08 16:03 <DIR> d-------- C:\VundoFix Backups
2007-12-27 19:47 . 07-12-27 19:47 6 --a------ C:\WINNT\system32\84a4f70f
2007-12-20 09:35 . 07-12-20 09:35 314,624 --------- C:\WINNT\system32\iifcd.dll
2007-12-17 10:52 . 07-12-19 17:54 320 --ahs---- C:\WINNT\system32\uvwxx.ini
2007-12-17 10:47 . 07-12-17 10:47 24,336 --a------ C:\WINNT\system32\wvuvuuu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Allison
2008-01-09 19:31 --------- d-----w C:\Program Files\Navnt
2007-12-12 21:52 17,712 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-11 20:40 82,799 ----a-w C:\WINNT\Fonts\mutlu_ornamental.zip
2007-04-11 20:40 162,852 ----a-w C:\WINNT\Fonts\route_3.zip
2007-04-11 19:31 51,328 ----a-w C:\WINNT\Fonts\dreaming_of_lilian.zip
2007-04-11 19:31 128,796 ----a-w C:\WINNT\Fonts\cocaine_sans.zip
2007-04-11 19:30 63,454 ----a-w C:\WINNT\Fonts\lakestreet.zip
2007-04-11 19:29 242,434 ----a-w C:\WINNT\Fonts\bleep_you_las_vegas.zip
2007-04-11 19:28 79,738 ----a-w C:\WINNT\Fonts\broken_ghost.zip
2002-06-28 20:05 271 ---h--w C:\Program Files\desktop.ini
2002-06-28 20:05 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06B88E20-4B97-41BE-BCCD-F755987ED8FC}]
07-12-20 09:35 314624 --a------ C:\WINNT\system32\iifcd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"S3apphk"="S3apphk.exe" [01-12-04 11:02 28672 C:\WINNT\system32\S3apphk.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [02-02-27 10:27 75384]
"WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-28 22:58 43008 C:\WINNT\system32\WFXSNT40.EXE]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtray.exe" [01-08-24 12:38 73808]
"vptray"="C:\PROGRA~1\Navnt\vptray.exe" [99-10-15 06:00 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-12-14 12:14 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07-06-22 17:32 95960]
"combofix"="C:\WINNT\system32\cmd.exe" [04-11-02 17:48 236816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [01-08-24 12:41 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-10-01 11:50:20]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [02-10-23 09:22 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\iifcd.dll

R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [01-12-18 09:45 ]
R3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM9X.sys [01-10-25 01:43 ]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINNT\System32\Drivers\NPDRIVER.SYS [02-02-05 05:03 ]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [01-12-27 07:09 ]
S3 SDdriver;SDdriver;C:\WINNT\System32\Drivers\sddriver.sys [02-01-30 05:00 ]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [01-12-05 15:36 ]

.
Contents of the 'Scheduled Tasks' folder
"2005-05-21 00:00:00 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-10-12 21:50:04 C:\WINNT\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-01-10 20:58:47 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 17:33:20
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe?~1\LOCALS~1\Temp?TMP=C:\DOCUME~1\ADMINI~1\

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [5.00.3700.6690]
-> C:\WINNT\system32\iifcd.dll
.
Completion time: 2008-01-10 17:37:29 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-01-10 22:37:05
ComboFix2.txt 2008-01-10 21:22:07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:24 PM, on 1/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\S3apphk.exe
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2D82A873-5FD3-4860-B064-801E7B614E44} - C:\WINNT\system32\iifcd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/094d49cb2a12e0871017/netzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192202300562
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINNT\SYSTEM32\VundoFixSVC.exe

--
End of file - 5610 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 11 January 2008 - 04:08 AM

Hi,

Combofix does indeed disconnect your Computer from the internet, so to restore it afterwards, see here: http://www.bleepingcomputer.com/combofix/h...ombofix#restore

But we need to do some extra steps now first before you restore it since we need to run Combofix again which will again disconnect..

Do next please..

First of all, disable your Norton, because it looks like it is interfering here..
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINNT\SYSTEM32\VundoFixSVC.exe
C:\WINNT\system32\VundoFixSVC.exe
C:\WINNT\system32\84a4f70f
C:\WINNT\system32\iifcd.dll
C:\WINNT\system32\uvwxx.ini
C:\WINNT\system32\wvuvuuu.dll
C:\WINNT\Fonts\mutlu_ornamental.zip
C:\WINNT\Fonts\route_3.zip
C:\WINNT\Fonts\dreaming_of_lilian.zip
C:\WINNT\Fonts\cocaine_sans.zip
C:\WINNT\Fonts\lakestreet.zip
C:\WINNT\Fonts\bleep_you_las_vegas.zip
C:\WINNT\Fonts\broken_ghost.zip

Folder::
C:\VundoFix Backups

Driver::
VundoFixSvc

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06B88E20-4B97-41BE-BCCD-F755987ED8FC}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 11 January 2008 - 11:49 AM

Hello again,

I ran Combofix again with the CFScript file. I did forget to disable Norton but I did not rerun it because I wasn't sure if this would distrupt things. Below are the logs. Let me know if I should rerun Combofix. Also, I went to check about enabling my internet connection but repair is not an option on the menu. Is this because I'm using Windows 2000? Is there another way to enable the connection?

ComboFix 08-01-10.2 - Administrator 01/11/2008 11:13:13.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\WINNT\Fonts\bleep_you_las_vegas.zip
C:\WINNT\Fonts\broken_ghost.zip
C:\WINNT\Fonts\cocaine_sans.zip
C:\WINNT\Fonts\dreaming_of_lilian.zip
C:\WINNT\Fonts\lakestreet.zip
C:\WINNT\Fonts\mutlu_ornamental.zip
C:\WINNT\Fonts\route_3.zip
C:\WINNT\system32\84a4f70f
C:\WINNT\system32\iifcd.dll
C:\WINNT\system32\uvwxx.ini
C:\WINNT\system32\VundoFixSVC.exe
C:\WINNT\SYSTEM32\VundoFixSVC.exe
C:\WINNT\system32\wvuvuuu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINNT\Fonts\broken_ghost.zip
C:\WINNT\Fonts\cocaine_sans.zip
C:\WINNT\Fonts\dreaming_of_lilian.zip
C:\WINNT\Fonts\lakestreet.zip
C:\WINNT\Fonts\mutlu_ornamental.zip
C:\WINNT\Fonts\route_3.zip
C:\WINNT\system32\84a4f70f
C:\WINNT\system32\dcfii.ini
C:\WINNT\system32\dcfii.ini2
C:\WINNT\system32\iifcd.dll
C:\WINNT\system32\uvwxx.ini
C:\WINNT\system32\VundoFixSVC.exe
C:\WINNT\system32\wvuvuuu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VUNDOFIXSVC
-------\VundoFixSvc


((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 11:25 . 08-01-11 11:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_270.dat
2008-01-10 16:03 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-09 12:53 . 08-01-09 12:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 14:13 . 08-01-08 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-08 13:38 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-01-08 13:35 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\vjqnsvmivgwq.sys
2008-01-08 13:29 . 07-06-08 09:44 8,576 --a------ C:\WINNT\system32\drivers\RkPavProc.sys
2008-01-08 13:08 . 08-01-08 13:35 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2008-01-08 13:08 . 08-01-08 13:08 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-01-08 13:08 . 08-01-08 13:08 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-01-08 13:08 . 08-01-08 13:08 1,406 --a------ C:\WINNT\system32\Help.ico
2008-01-08 11:19 . 08-01-08 12:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 17:04 . 08-01-07 17:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-07 17:04 . 08-01-07 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-07 17:03 . 08-01-07 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 17:23 . 08-01-10 19:18 556,352 ---h----- C:\WINNT\ShellIconCache
2008-01-03 17:16 . 08-01-03 17:16 <DIR> d-a------ C:\WINNT\system32\Windows Media
2008-01-03 17:13 . 08-01-03 17:13 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-01-03 17:13 . 08-01-03 17:14 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-01-03 17:05 . 08-01-03 17:05 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-01-03 16:55 . 08-01-03 16:55 <DIR> d-------- C:\WINNT\mui
2008-01-03 16:55 . 08-01-03 16:56 957 --a------ C:\WINNT\setup.inf
2008-01-03 16:55 . 08-01-03 16:56 283 --a------ C:\WINNT\setup.rpt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 14:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Allison
2008-01-09 19:31 --------- d-----w C:\Program Files\Navnt
2007-12-12 21:52 17,712 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-31 07:17 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-29 17:57 791,824 ----a-w C:\WINNT\system32\quartz.dll
2007-10-16 11:34 513,808 ----a-w C:\WINNT\system32\LSASRV.DLL
2007-04-11 19:29 242,434 ----a-w C:\WINNT\Fonts\bleep_you_las_vegas.zip
2002-06-28 20:05 271 ---h--w C:\Program Files\desktop.ini
2002-06-28 20:05 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 2008-01-10_16.20.43.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 21:04:48 2,764,800 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-11 16:12:23 2,772,992 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 21:04:49 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-11 16:12:24 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4E4D5A-8F28-4A5B-94DA-09D3D484294E}]
C:\WINNT\system32\iifcd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"S3apphk"="S3apphk.exe" [01-12-04 11:02 28672 C:\WINNT\system32\S3apphk.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [02-02-27 10:27 75384]
"WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-28 22:58 43008 C:\WINNT\system32\WFXSNT40.EXE]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtray.exe" [01-08-24 12:38 73808]
"vptray"="C:\PROGRA~1\Navnt\vptray.exe" [99-10-15 06:00 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-12-14 12:14 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07-06-22 17:32 95960]
"combofix"="C:\WINNT\system32\cmd.exe" [04-11-02 17:48 236816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [01-08-24 12:41 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-10-01 11:50:20]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [02-10-23 09:22 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\iifcd.dll

R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [01-12-18 09:45 ]
R3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM9X.sys [01-10-25 01:43 ]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINNT\System32\Drivers\NPDRIVER.SYS [02-02-05 05:03 ]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [01-12-27 07:09 ]
S3 SDdriver;SDdriver;C:\WINNT\System32\Drivers\sddriver.sys [02-01-30 05:00 ]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [01-12-05 15:36 ]

.
Contents of the 'Scheduled Tasks' folder
"2005-05-21 00:00:00 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-10-12 21:50:04 C:\WINNT\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-01-10 20:58:47 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 11:26:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe?~1\LOCALS~1\Temp?TMP=C:\DOCUME~1\ADMINI~1\

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 11:28:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 16:28:33
ComboFix2.txt 2008-01-10 22:37:29
ComboFix3.txt 2008-01-10 21:22:07


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:09 AM, on 1/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\S3apphk.exe
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/094d49cb2a12e0871017/netzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192202300562
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = work.scw.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = work.scw.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = work.scw.org
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 5637 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 11 January 2008 - 12:03 PM

Hi,

Can you attach the log from Combofix please? Because I see this file didn't get removed including the registry keys:

C:\WINNT\Fonts\bleep_you_las_vegas.zip

And I see now why it wasn't removed, since the forumsoftware replaces bad words with "bleep". :blink:

So please attach you Combofix log and then I will attach a new CFScript log for you. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 11 January 2008 - 02:36 PM

OK, here is ComboFix log file attached.

Attached Files



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 11 January 2008 - 02:45 PM

Hi,

It was the F* word that was in the list which explains why it was replaced with "bleep" instead. :blink:

Anyway, download next attachement to your desktop:

Drag the CFScript.txt into Combofix.exe

(as you did previously)

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
No need to attach this time :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 11 January 2008 - 04:49 PM

Here are the two new logs.

I see you're in Belgium. What part are you in? Many years ago, as I made my way through Europe, I stopped in Bruges for a couple of days. The Venice of the north I think I heard it called. I enjoyed my short stay especially the chocolate and the "Belgian" fries I bought from the carts in the market. I still hope to get back to that part of Europe some day. :thumbsup:


Thanks once more for your continued help :blink:


ComboFix 08-01-10.2 - Administrator 01/11/2008 16:34:47.5 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript2.txt

FILE
C:\WINNT\Fonts\bleep_you_las_vegas.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\Fonts\bleep_you_las_vegas.zip

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 16:34 . 01/11/08 04:34p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_31c.dat
2008-01-11 13:22 . 01/11/08 01:22p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-01-10 16:03 . 08/31/00 08:00a 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-09 12:53 . 01/09/08 12:53p <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 14:13 . 01/08/08 03:55p <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-08 13:38 . 06/05/07 10:56a 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-01-08 13:35 . 06/08/07 09:44a 8,576 --a------ C:\WINNT\system32\drivers\vjqnsvmivgwq.sys
2008-01-08 13:29 . 06/08/07 09:44a 8,576 --a------ C:\WINNT\system32\drivers\RkPavProc.sys
2008-01-08 13:08 . 01/08/08 01:35p <DIR> d-a------ C:\WINNT\system32\ActiveScan
2008-01-08 13:08 . 01/08/08 01:08p 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-01-08 13:08 . 01/08/08 01:08p 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-01-08 13:08 . 01/08/08 01:08p 1,406 --a------ C:\WINNT\system32\Help.ico
2008-01-08 11:19 . 01/08/08 12:52p <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 17:04 . 01/07/08 05:04p <DIR> d-------- C:\Program Files\Lavasoft
2008-01-07 17:04 . 01/07/08 05:04p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-07 17:03 . 01/07/08 05:03p <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 17:23 . 01/11/08 01:19p 556,562 ---h----- C:\WINNT\ShellIconCache
2008-01-03 17:16 . 01/03/08 05:16p <DIR> d-a------ C:\WINNT\system32\Windows Media
2008-01-03 17:13 . 01/03/08 05:13p <DIR> d-------- C:\WINNT\msiinst.tmp
2008-01-03 17:13 . 01/03/08 05:14p <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-01-03 17:05 . 01/03/08 05:05p <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-01-03 16:55 . 01/03/08 04:55p <DIR> d-------- C:\WINNT\mui
2008-01-03 16:55 . 01/03/08 04:56p 957 --a------ C:\WINNT\setup.inf
2008-01-03 16:55 . 01/03/08 04:56p 283 --a------ C:\WINNT\setup.rpt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Allison
2008-01-09 19:31 --------- d-----w C:\Program Files\Navnt
2007-12-12 21:52 17,712 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-10-31 07:17 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-29 17:57 791,824 ----a-w C:\WINNT\system32\quartz.dll
2007-10-16 11:34 513,808 ----a-w C:\WINNT\system32\LSASRV.DLL
2002-06-28 20:05 271 ---h--w C:\Program Files\desktop.ini
2002-06-28 20:05 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 2008-01-10_16.20.43.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-10 21:04:48 2,764,800 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-11 21:34:41 2,777,088 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 21:04:49 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-11 21:34:41 8,192 ----a-w C:\WINNT\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p 111376 C:\WINNT\system32\mobsync.exe]
"S3apphk"="S3apphk.exe" [12/04/01 11:02a 28672 C:\WINNT\system32\S3apphk.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [02/27/02 10:27a 75384]
"WinFaxAppPortStarter"="wfxsnt40.exe" [09/28/00 10:58p 43008 C:\WINNT\system32\WFXSNT40.EXE]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtray.exe" [08/24/01 12:38p 73808]
"vptray"="C:\PROGRA~1\Navnt\vptray.exe" [10/15/99 06:00a 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/14/05 12:14p 180269]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [06/22/07 05:32p 95960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymTray - Norton SystemWorks"="C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [08/24/01 12:41p 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-10-01 11:50:20]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [10/23/02 09:22a 86016]

R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [12/18/01 09:45a]
R3 ADM9X;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM9X.sys [10/25/01 01:43a]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINNT\System32\Drivers\NPDRIVER.SYS [02/05/02 05:03a]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [12/27/01 07:09a]
S3 SDdriver;SDdriver;C:\WINNT\System32\Drivers\sddriver.sys [01/30/02 05:00a]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [12/05/01 03:36p]

.
Contents of the 'Scheduled Tasks' folder
"2005-05-21 00:00:00 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-10-12 21:50:04 C:\WINNT\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-01-10 20:58:47 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 16:37:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe?~1\LOCALS~1\Temp?TMP=C:\DOCUME~1\ADMINI~1\

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 01/11/2008 16:38:27
ComboFix-quarantined-files.txt 2008-01-11 21:38:17
ComboFix2.txt 2008-01-11 16:28:44
ComboFix3.txt 2008-01-10 22:37:29
ComboFix4.txt 2008-01-10 21:22:07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:22 PM, on 1/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\S3apphk.exe
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/094d49cb2a12e0871017/netzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192202300562
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = work.scw.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F1EBA9A-DC17-43BF-B2F4-287D86F240D7}: NameServer = 24.92.226.12,24.92.226.173
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = work.scw.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F1EBA9A-DC17-43BF-B2F4-287D86F240D7}: NameServer = 24.92.226.12,24.92.226.173
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = work.scw.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F1EBA9A-DC17-43BF-B2F4-287D86F240D7}: NameServer = 24.92.226.12,24.92.226.173
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 6030 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 11 January 2008 - 04:58 PM

Hi,

The Combofix log looks OK again :wacko:

Please delete the C:\Qoobox - folder

Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <== this is a resource hog
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/094d49cb2a12e0871017/netzip/RdxIE6.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

as I made my way through Europe, I stopped in Bruges for a couple of days. The Venice of the north I think I heard it called

What a coincidence since I live in Bruges! :thumbsup: It's in my other profile here.
I really love it in Bruges, a small, but beautiful city - that's because I never want to move from here :blink:

Anyway, how are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 11 January 2008 - 06:24 PM

Hello,

I have taken care of the Fix Checked items.

Things certainly improved once I ran the CFScript in ComboFix. The lsass.exe file that I was sure that the Trojan had attached itself to is no longer getting the activity it was in the Processes area of the Windows Task Manager and Norton is no longer popping up a window saying file iifcd.dll is a Trojan that it could not quarantine, fix or delete. My only issue now seems to be that I can not access the internet. As I said my version of Windows does not appear to have Repair as an option for the Network Connections. I have been able to re-establish my network connections by entering an IP address rather than checking Obtain an IP address automatically but this has not helped with the internet. Any thoughts on this?

What a coincidence since I live in Bruges! smile.gif It's in my other profile here.
I really love it in Bruges, a small, but beautiful city - that's because I never want to move from here smile.gif


As they say It's a small world. You were just a schoolgirl of 13 when I visited your lovely city to give you some idea how long ago it was. You have some very good looking dogs there. Are American Staffordshires very common there? I had a dog not too long ago that I am convinced was part AS, he had that brindle colouring many have and a similar face, but not quite as bulky. He was a great dog, a real beauty.

I suspect you're done for the night and maybe even the weekend. Let me know what tmy next step is when you get a chance. Thans so much for your help. It greatly appreciated. :thumbsup:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 11 January 2008 - 06:47 PM

Hi,

For the internet Connection...
First of all, reboot and see if that solves the problem after reboot.

If not, since I never worked with Windows 2000, it's difficult for me to tell what setting to change/modify etc..
But take a look here:
http://www.wikihow.com/Fix-Common-Computer-Network-Issues
http://support.microsoft.com/kb/837333 (This is especially for Windows 2000).
Otherwise you could start a new thread about this in the Networking forums here.

Also, I have seen some cases where Norton did interfere with the repair of the Internet Connection, so this may be also an option to temporary uninstall your Norton, try to reset the Connection again after uninstall of Norton.
Make sure you also reboot in between, as a reboot is required to fix certain settings.

Anyway, if that didn't solve it, I suggest you start a thread here: http://www.bleepingcomputer.com/forums/f/21/networking/
They know much more about Networking than I do. I only know basics and some advanced settings, but that's only for XP. In your case you have Windows 2000, so that's a difference.

You were just a schoolgirl of 13 when I visited your lovely city to give you some idea how long ago it was.

Well, A LOT has been changed in Bruges since then :blink:
No, American Staffordshires are not that common over here, however, you start to see them more and more nowadays. Unfortunately, many people think American Staffordshires are pitbulls and aggressive dogs, while they are not aggressive at all - It's all a matter of how you raise them.

As for the malware part, that should be fixed now. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 scw

scw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 14 January 2008 - 01:09 PM

Hello Miekiemoes,

Thanks for all your help! It looks like the trojan is all cleared up and through one of your links I was able to re-establish my connection to the internet. Keep up the good work you are doing. It is greatly appreciated. :thumbsup:

Enjoy the New Year!

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 14 January 2008 - 01:20 PM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:20 AM

Posted 17 January 2008 - 01:33 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users