Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wnl32.dll Spyware


  • Please log in to reply
12 replies to this topic

#1 Totti

Totti

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 11 January 2008 - 05:10 AM

Hey guys, I managed to get infected with the wnl32.dll spyware today (in C:\WINDOWS\system32\AppCert); it also installed ~.exe into my system32 folder and a few other things. Syware S&D, AdAware and Windows Defender can't get rid of it (don't detect it), so I was hoping someone here could help.
I already killed any obviously bad running processes, deleted the obvious junk entries into the Run registry, and also disabled the encapie and dhcpcsvco BHOs, so I hope my Hijackthis log provides enough info.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:50:51, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\PROGRA~1\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\CBOClean\BOC425.EXE
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Stephen Totten\Local Settings\Temporary Internet Files\Content.IE5\MKDMK2PR\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182E5AE1-B505-456D-BBE3-A3ECE1B40638} - c:\windows\system32\encapie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A3357186-C2D8-4C93-8C0B-F83317B377F7} - C:\WINDOWS\system32\dhcpcsvco.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [289zd2r9z] C:\WINDOWS\system32\289zd2r9z.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [CLRHost] C:\PROGRA~1\blp\API\OFFICE~1\bbxlcmd.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: synctime.bat
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://login.citi.com/vdesk/terminal/f5tun...,2007,1001,2144
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://login.citi.com/vdesk/terminal/Insta...,2007,1001,2146
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/20.7/uploader2.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://login.citi.com/vdesk/terminal/f5Ins...,2007,1001,2139
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146183181218
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://login.citi.com/vdesk/terminal/urTer...,2007,1001,2136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146251589140
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://login.citi.com/vdesk/terminal/vdesk...,2007,1001,2142
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://login.citi.com/vdesk/terminal/urxsh...,2007,1001,2141
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://login.citi.com/vdesk/terminal/urxho...,2007,1001,2140
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://login.citi.com/policy/download_bina...,2007,1001,2143
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hanvljom - C:\WINDOWS\SYSTEM32\encapie.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 12295 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 11 January 2008 - 07:23 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run from a temp directory.
  • Download and run the HijackThis autoinstall program
  • Please choose the default location of C:\Program Files as the destination.
  • Run the program only from that location from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.
Once you have Hijackthis running from this folder, please reboot and post a new hijackthis log as a reply in this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 11 January 2008 - 02:04 PM

Thank you very much; I've moved HijackThis, and here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02:03, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\289zd2r9z.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\PROGRA~1\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Totten\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182E5AE1-B505-456D-BBE3-A3ECE1B40638} - c:\windows\system32\encapie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A3357186-C2D8-4C93-8C0B-F83317B377F7} - C:\WINDOWS\system32\dhcpcsvco.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [289zd2r9z] C:\WINDOWS\system32\289zd2r9z.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [CLRHost] C:\PROGRA~1\blp\API\OFFICE~1\bbxlcmd.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [289zd2r9z] C:\WINDOWS\system32\289zd2r9z.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: synctime.bat
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://login.citi.com/vdesk/terminal/f5tun...,2007,1001,2144
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://login.citi.com/vdesk/terminal/Insta...,2007,1001,2146
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/20.7/uploader2.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://login.citi.com/vdesk/terminal/f5Ins...,2007,1001,2139
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146183181218
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://login.citi.com/vdesk/terminal/urTer...,2007,1001,2136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146251589140
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://login.citi.com/vdesk/terminal/vdesk...,2007,1001,2142
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://login.citi.com/vdesk/terminal/urxsh...,2007,1001,2141
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://login.citi.com/vdesk/terminal/urxho...,2007,1001,2140
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://login.citi.com/policy/download_bina...,2007,1001,2143
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hanvljom - C:\WINDOWS\SYSTEM32\encapie.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 12600 bytes

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 12 January 2008 - 10:07 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {182E5AE1-B505-456D-BBE3-A3ECE1B40638} - c:\windows\system32\encapie.dll
O2 - BHO: (no name) - {A3357186-C2D8-4C93-8C0B-F83317B377F7} - C:\WINDOWS\system32\dhcpcsvco.dll
O4 - HKLM\..\Run: [289zd2r9z] C:\WINDOWS\system32\289zd2r9z.exe
O4 - HKCU\..\Run: [289zd2r9z] C:\WINDOWS\system32\289zd2r9z.exe
O20 - Winlogon Notify: hanvljom - C:\WINDOWS\SYSTEM32\encapie.dll



================




Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 January 2008 - 07:40 AM

Thanks for your continued help!

I've ran everything, but unfortunately network access is now broken on the infected computer (the ip stack seems shot; i think it could be that qeixgrer driver that was installed by the virus). Anyway, here's the combofix log:

ComboFix 08-01-13.1 - Stephen Totten 2008-01-13 12:07:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.414 [GMT 0:00]
Running from: C:\Documents and Settings\Stephen Totten\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dhcpcsvco.dll
C:\WINDOWS\system32\drivers\wphtdqzk.dat
C:\WINDOWS\system32\encapie.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BODPSMEU
-------\LEGACY_QEIXGRER
-------\bodpsmeu
-------\qeixgrer


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 12:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 15:30 . 2008-01-12 15:30 99,529 --a------ C:\malware.zip
2008-01-12 15:28 . 2008-01-12 15:29 <DIR> d-------- C:\malware
2008-01-12 14:47 . 2008-01-12 14:48 <DIR> d-------- C:\Program Files\Sysinternals
2008-01-12 12:53 . 2008-01-12 14:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-12 10:15 . 2008-01-12 10:15 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-12 10:15 . 2008-01-12 10:15 741,632 --a------ C:\WINDOWS\system32\ykxxrdoe.dat
2008-01-12 10:15 . 2008-01-12 10:15 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-12 10:15 . 2008-01-12 10:15 42,240 --a------ C:\WINDOWS\system32\dfsfagtp.dat
2008-01-12 10:15 . 2008-01-12 10:15 36,608 --a------ C:\WINDOWS\system32\psmthdgt.dat
2008-01-12 10:15 . 2008-01-12 10:15 35,072 --a------ C:\WINDOWS\system32\afgosqfu.dat
2008-01-11 19:10 . 2008-01-11 19:10 250 --a------ C:\WINDOWS\gmer.ini
2008-01-11 09:33 . 2008-01-11 09:35 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 09:33 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-11 09:33 . 2004-08-04 12:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-11 09:32 . 2008-01-11 09:32 <DIR> d-------- C:\Program Files\Comodo
2008-01-11 09:32 . 2008-01-11 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-01-11 09:32 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-11 09:32 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-11 09:32 . 2008-01-13 12:18 10,688 --a------ C:\WINDOWS\BOC425.INI
2008-01-11 09:06 . 2008-01-12 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 09:06 . 2008-01-11 09:06 120,576 --a------ C:\WINDOWS\system32\qyqqbiaq.dat
2008-01-11 08:58 . 2008-01-11 18:58 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-05 19:44 . 2008-01-05 19:44 14 --a------ C:\Winvdrvr.dll
2008-01-05 19:44 . 2008-01-05 19:44 14 --a------ C:\Portprcr.dvr
2008-01-05 19:44 . 2008-01-12 10:08 0 --a------ C:\hfcrgrt.ini
2008-01-05 19:43 . 2008-01-12 10:08 <DIR> d-------- C:\Program Files\Hormonal Forecaster
2008-01-05 19:43 . 2008-01-05 19:43 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-01-05 16:36 . 2008-01-05 16:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-03 20:19 . 2008-01-03 20:19 188,416 --a------ C:\WINDOWS\system32\HFCdtASP.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 11:56 --------- d-----w C:\Documents and Settings\Stephen Totten\Application Data\Skype
2008-01-13 11:39 --------- d-----w C:\Documents and Settings\Stephen Totten\Application Data\skypePM
2008-01-12 15:19 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-11 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-01-05 19:43 286,720 ------w C:\WINDOWS\Setup1.exe
2008-01-05 18:35 --------- d-----w C:\Program Files\Roku Radio Snooper
2008-01-05 16:36 --------- d-----w C:\Program Files\Real
2008-01-05 16:36 --------- d-----w C:\Program Files\Common Files\Real
2008-01-05 16:35 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-05 16:35 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-14 09:04 --------- d-----w C:\Program Files\World of Warcraft
2007-12-12 11:42 --------- d-----w C:\Documents and Settings\Stephen Totten\Application Data\ICAClient
2007-12-06 08:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-06 08:16 --------- d-----w C:\Documents and Settings\Stephen Totten\Application Data\Nokia
2007-12-05 23:00 --------- d-----w C:\Program Files\Nokia
2007-12-05 23:00 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-05 23:00 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-05 22:59 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-11-16 23:23 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-16 23:23 --------- d-----w C:\Program Files\Common Files\Skype
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-01 20:29 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 01:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 01:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 01:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 01:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-02 17:49 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 08:00 180279]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"CLRHost"="C:\PROGRA~1\blp\API\OFFICE~1\bbxlcmd.exe" [2007-09-26 17:22 102400]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-11-09 13:16 688128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30 45632]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 13:58 94208]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-10-05 21:11 866584]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 17:09 842584]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-07-31 12:57 147456]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-31 20:58 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-31 20:58 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-31 20:58 138008]
"SigmatelSysTrayApp"="sttray.exe" []
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-07-31 13:04 398640]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 16:35 185896]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 10:38 342272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 01:17 443968]

C:\Documents and Settings\Stephen Totten\Start Menu\Programs\Startup\
synctime.bat [2006-06-02 19:36:06]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 17:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-02 17:49:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-07-31 13:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-07-31 13:04]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-07-31 12:57]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-07-31 12:57]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-07-31 12:57]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
R3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-07-31 12:57]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-29 06:46]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2007-06-04 13:39]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-06-04 13:39]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 17:31]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-03-10 13:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 11:33:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-12 18:39:24 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-01-13 12:19:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 12:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 12:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 12:22:55
.
2008-01-09 23:32:09 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 13 January 2008 - 11:16 AM

Download and run this tool and then check your connection.
http://www.majorgeeks.com/download4372.html


Next I want to have you submit some files individually to scanned.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\Winvdrvr.dll


  • Click on the submit button
  • Please post the results in your next reply.

Also submit each of these files.

C:\Portprcr.dvr
C:\hfcrgrt.ini
C:\WINDOWS\system32\qyqqbiaq.dat
C:\WINDOWS\system32\ykxxrdoe.dat
C:\WINDOWS\system32\dfsfagtp.dat
C:\WINDOWS\system32\psmthdgt.dat
C:\WINDOWS\system32\afgosqfu.dat
C:\WINDOWS\system32\drivers\tcpip.sys



Please post the results from each of those and let me know if your connection has been restored.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 January 2008 - 01:06 PM

Thanks; afraid the network is still not working. As such I've submitted the infected files to Jotti using another computer:

Winvdrvr.dll: OK
Portprcr.dvr: OK
hfcrgrt.ini: 0 bytes in size
qyqqbiaq.dat: OK
ykxxrdoe.dat: OK
dfsfagtp.dat: OK
psmthdgt.dat: OK
afgosqfu.dat: OK
tcpip.sys: OK

I also uploaded ~.exe, another file the malware installed, and it flagged up the below (PS this exe doesn't run as a process, instead I believe it's loaded by that qeixgrer driver):

Scan taken on 13 Jan 2008 18:00:29 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Injecter.DD.36
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Injecter.dd
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Injecter.dd
Fortinet Found nothing
Ikarus Found Trojan-Downloader.Win32.Injecter.dd
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Injecter.dd
NOD32 Found nothing
Norman Virus Control Found W32/DLoader.EWDX
Panda Antivirus Found Trj/Downloader.RUG
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Injecter.dd

#8 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 January 2008 - 02:08 PM

Just did some more digging, and somehow that qeixgrer driver has been zapped). Unfortunately it seems to have taken my ip stack with it (the tcp/ip protocol and the ip nat drivers have exclamation marks against them). Have tried http://support.microsoft.com/default.aspx?...b;en-us;q299357 to no avail.

Do i have to do a full reinstall of xp?

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 14 January 2008 - 12:04 PM

I also uploaded ~.exe,

Did you delete this file?


Just did some more digging, and somehow that qeixgrer driver has been zapped).

You seem convinced that qeixgrer had something to do with your connection issue. I'm not seeing the correlation and I'm just wondering how you are getting that indication.


Do you have your Windows disc?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 January 2008 - 01:30 PM

Did you delete this file?


I think I still have it on the machine somewhere.


You seem convinced that qeixgrer had something to do with your connection issue. I'm not seeing the correlation and I'm just wondering how you are getting that indication.


I know that the virus installed this driver, and that it also seemed to do something with an "IP in IP Tunnel" service, which ran svchost.exe. As svchost itself is benign, it must be the driver it installed that was doing bad things. Regardless, zapping the encapie DLLs seemed to get rid of both this service and the driver, which in turn has broken my IP stack.
I'm also convinced that this driver was using the ~.exe app, as I was unable to delete the exe either at startup (using the MoveFiles sysinternals tool) or during normal operation of XP. Disabling the driver using computer management freed the exe (ie I was able to delete it when the driver was disabled, but not when the driver was running).

Do you have your Windows disc?


Yeh I have it. Was going to install Vista at some point anyway, so this seems like a good opportunity....

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 15 January 2008 - 06:02 PM

If you're going to install Vista, then don't worry about this. But if you want to keep XP around for a while, try a repair installation.

http://support.microsoft.com/kb/315341


You could also do a System File Checker scan.

Click Start
Select Run
At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My Computer
Tools
Folder Options
View
"Uncheck" Hide protected operating system files.
Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Totti

Totti
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 17 January 2008 - 06:11 PM

Thanks for your help; I went with Vista in the end, but unfortunately this turned out to be a far worse experience than an infected XP. I shall be reverting rapidly...

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:57 PM

Posted 20 January 2008 - 07:19 AM

Did you format before installing Vista?
Let me know if you still need my help.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users