Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I've Got Some Pretty Serious Malware


  • This topic is locked This topic is locked
8 replies to this topic

#1 Mushroomhead

Mushroomhead

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 18 January 2008 - 04:54 AM

It seems to be getting progressively worse so I thought I better ask here for help. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:19 AM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TQ\command.exe
C:\WINDOWS\System32\lshuwbdb.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched .exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\McAfee.com\VSO\mcvsshld .exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\mrofinu572.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt .exe
C:\PROGRA~1\mcafee.com\agent\mcagent .exe
C:\WINDOWS\?icrosoft\?hkntfs.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\Router .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\WINDOWS\System32\windows
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HijackThis\HiJackThis.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe
C:\WINDOWS\DOBE~2\dexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\geede.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [7cae7dc9] rundll32.exe "C:\WINDOWS\System32\lnfbsajl.dll",b
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ldob] "C:\WINDOWS\DOBE~2\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Yxpvqem] C:\WINDOWS\?icrosoft\?hkntfs.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TQ\command.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\lshuwbdb.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 5982 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:59 AM

Posted 19 January 2008 - 04:52 AM

Hello Mushroomhead and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

You have some serious infections there. One of the infection also replaces the legit files with infected which will cause some programs not to work. We can try fixing this, but you will probably have to also uninstall and re-install some of your programs after we clean the computer.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Step #2

A guide and tutorial on using ComboFix can be found HERE
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
In your next post please include the following reports:
  • SDFix report
  • ComboFix report
  • New HijackThis log (run after ComboFix has finished its work.)
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 Mushroomhead

Mushroomhead
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 20 January 2008 - 07:07 PM

I've got the SDFix and HijackThis logs but the ComboFix log is really, really long and would take a few reply windows to fit in completely. Did you want to me upload the .txt file for it instead?




Here's the SDFix:





SDFix: Version 1.129

Run by Mel on Sun 01/20/2008 at 02:17 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
cmdService

Path:
C:\WINDOWS\TQ\command.exe

cmdService - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\TQ\asappsrv.dll - Deleted
C:\WINDOWS\TQ\command.exe - Deleted
C:\WINDOWS\TQ\nk.vbs - Deleted
C:\DOCUME~1\SMELLY~1\APPLIC~1\MICROS~1\WINDOWS\TIYRMMK.EXE - Deleted
C:\PROGRA~1\PAGE~1.HTM - Deleted
C:\PROGRA~1\COMMON~1\VIKOK~1.HTM - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\Program Files\Dot1XCfg\Dot1XCfg .exe - Deleted
C:\Program Files\Dot1XCfg\Dot1XCfg.exe - Deleted
C:\Program Files\Router\Router .exe - Deleted
C:\Program Files\Router\Router.exe - Deleted
C:\Program Files\Router\UnInstall.exe - Deleted
C:\Program Files\Temporary\kernInst.exe - Deleted
C:\Program Files\Temporary\kernInstall.exe - Deleted
C:\Program Files\Words\list.txt - Deleted
C:\Program Files\Words\UnInstall.exe - Deleted
C:\Program Files\Words\Words .exe - Deleted
C:\Program Files\Words\Words.exe - Deleted
C:\Program Files\.autoreg - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\b10?.exe - Deleted
C:\WINDOWS\b12?.exe - Deleted
C:\WINDOWS\b13?.exe - Deleted
C:\WINDOWS\b14?.exe - Deleted
C:\WINDOWS\b15?.exe - Deleted
C:\WINDOWS\Downloaded Program Files\*_*_*NetInstaller.exe - Deleted
C:\WINDOWS\mrofinu*.exe - Deleted
C:\WINDOWS\mrofinu*.exe.tmp - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Router - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\Words - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 15:02:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 15 Jan 2008 230,400 ..SHR --- "C:\WINDOWS\?icrosoft\?hkntfs.exe"
Sun 20 Jan 2008 19,136 ..SH. --- "C:\WINDOWS\system32\cvmwqqqy.dllbox"
Thu 17 Jan 2008 406,528 ..SHR --- "C:\WINDOWS\Ódobe\dexplore.exe"
Sun 13 Jan 2008 410,624 ..SHR --- "C:\WINDOWS\?dobe\lsass.exe"
Thu 4 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 7 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Thu 1 Nov 2007 230,400 ..SHR --- "C:\WINDOWS\system32\F?nts\w?nspool.exe"
Thu 3 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\Mel\Local Settings\temp\~4F.tmp"
Fri 4 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~105.tmp"
Sun 23 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~174.tmp"
Sun 9 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~21D.tmp"
Wed 2 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~361.tmp"
Sat 8 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~76.tmp"
Thu 3 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\Spenser\Local Settings\temp\~93.tmp"
Sat 5 Jan 2008 2,834 ...HR --- "C:\Documents and Settings\Mel\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 7 Jan 2008 4,348 ...H. --- "C:\Documents and Settings\Mel\My Documents\My Music\License Backup\drmv1key.bak"
Sat 12 Jan 2008 20 A..H. --- "C:\Documents and Settings\Mel\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 7 Jan 2008 400 A.SH. --- "C:\Documents and Settings\Melly\My Documents\My Music\License Backup\drmv2key.bak"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~11.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~12.tmp"
Fri 7 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~17B.tmp"
Sat 8 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~19.tmp"
Sun 9 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~1A.tmp"
Wed 12 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~1B.tmp"
Thu 27 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~1B1.tmp"
Sun 16 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~1E5.tmp"
Sat 8 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~20.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~21.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~2CE.tmp"
Fri 28 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~34A.tmp"
Thu 20 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~3F.tmp"
Mon 17 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~44F.tmp"
Sat 17 Nov 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~48A.tmp"
Sun 30 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~4BB.tmp"
Sun 18 Nov 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~4EF.tmp"
Fri 14 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~5.tmp"
Sat 22 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~55.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~6.tmp"
Wed 12 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~69.tmp"
Sat 10 Nov 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~6A.tmp"
Wed 12 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~7.tmp"
Fri 14 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~77.tmp"
Tue 11 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~79.tmp"
Thu 13 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~7A.tmp"
Thu 1 Nov 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~7B1.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~8.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~9.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~A.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~B.tmp"
Thu 4 Oct 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~BDA.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~C.tmp"
Fri 21 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~CC.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~D.tmp"
Tue 18 Sep 2007 215,040 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~E.tmp"
Sun 4 Nov 2007 197,120 A..H. --- "C:\Deckard\System Scanner\20071126215755\backup\DOCUME~1\Mel\LOCALS~1\Temp\~F1.tmp"

Finished!





And the HijackThis:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48, on 2008-01-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\7275747A7777798.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\xkjtfwyv.exe
C:\Documents and Settings\Desktop\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\geede.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [B4B7B6BCB9B9BBC3B] 7275747A7777798.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MCUPDA~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {91F71D75-A73B-4E3B-8A14-F03557B82B29} (Cax3DPlugin Object) - http://graalonline.com/downloads/plugin/graalplugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\xkjtfwyv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 4058 bytes

Edited by Mushroomhead, 20 January 2008 - 07:10 PM.


#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:59 AM

Posted 21 January 2008 - 02:08 AM

Hello Mushroomhead,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\System32\7275747A7777798.exe
    C:\WINDOWS\System32\xkjtfwyv.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please zip combofix log and try attaching it here. If you can't attach it then follow this link
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then upload the zip with combofix log there.


Regards,
SNOWHITE
Posted Image

#5 Mushroomhead

Mushroomhead
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 21 January 2008 - 03:30 AM

Here's the OTMoveIt2 log:


C:\WINDOWS\System32\7275747A7777798.exe moved successfully.
C:\WINDOWS\System32\xkjtfwyv.exe moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.9 log created on 01212008_022348



And the ComboFix file was too large to attach here so I submitted it to the link you gave me.

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:59 AM

Posted 22 January 2008 - 03:57 AM

Hello Mushroomhead,

I recommend that you install Recovery Console on your computer. Please follow the steps described on this page How to install and use the Windows XP Recovery Console, then follow the steps below:

Step #1

Open notepad and copy/paste the text in the code below into it:

File::
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\RCX3D5.tmp
C:\WINDOWS\system32\RCX707.tmp
C:\WINDOWS\system32\7275747A7777798.exe
C:\WINDOWS\system32\RCX609.tmp
C:\WINDOWS\system32\RCX9E9.tmp
C:\WINDOWS\system32\RCX60B.tmp
C:\WINDOWS\system32\RCX279.tmp
C:\WINDOWS\System32\geede.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller .exe
C:\WINDOWS\System32\lnfbsajl.dll
C:\WINDOWS\mrofinu572.exe

Folder::
C:\Program Files\Rabio
C:\WINDOWS\system32\edcA01
C:\Temp\Ryuan1
C:\WINDOWS\TQ
C:\Program Files\Router
C:\Program Files\Words

Suspect::[29]
C:\Program Files\InstallShield Installation Information\nipycafuq455101.dll

RenV::
C:\Program Files\GameSpy\Comrade\Comrade .exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\mcupdate .exe
C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
C:\Program Files\McAfee.com\Agent\MCUPDA~3 .EXE
C:\Program Files\McAfee.com\Shared\mcappins .exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
C:\Program Files\McAfee.com\VSO\mcvsshld .exe
C:\Program Files\McAfee.com\VSO\oasclnt .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\Steam\steam .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

DirLook::
C:\Documents and Settings\Smelly Melly\Application Data\.#
C:\WINDOWS\system32\6568676D6A6A6C7

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DE22DBDD-7FD1-4C58-8275-A493F12CDEFE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"B4B7B6BCB9B9BBC3B"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7cae7dc9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B4B7B6BCB9B9BBC3B]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ldob]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Router]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yxpvqem]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.


Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.


Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)
  • Kaspersky scan report
    Let me know how the things will go.
Regards,
SNOWHITE
Posted Image

#7 Mushroomhead

Mushroomhead
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 24 January 2008 - 02:27 PM

Here's the Kaspersky Online Report and the HijackThis log. I submitted the ComboFix log through the malware submittal place because it was large once again. My computer seems much more stable now.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 24, 2008 1:13:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/01/2008
Kaspersky Anti-Virus database records: 495178
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 251154
Number of viruses found: 4
Number of infected objects: 25
Number of suspicious objects: 10
Duration of the scan process: 04:06:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku2.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku3.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku4.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\eventlog Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Smelly Melly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Smelly Melly\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Smelly Melly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Smelly Melly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Smelly Melly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Smelly Melly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Smelly Melly\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Smelly Melly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Spenser\Local Settings\temp\RCX12.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Spenser\Local Settings\temp\RCX40.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Spenser\Local Settings\temp\RCXF.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\GameSpy\Comrade\Comrade.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\GameSpy\Comrade\pw32.dll Object is locked skipped
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\McAfee.com\Agent\McAgent.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\McAfee.com\Agent\McUpdate .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Steam\Steam.log Object is locked skipped
C:\Program Files\Steam\steamapps\base source engine 2.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source materials.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source models.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source sdk base.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\source sounds.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\sourceinit.gcf Object is locked skipped
C:\Program Files\Steam\steamapps\winui.gcf Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted.vir Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL_tobedeleted.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP10\A0003415.rbf Object is locked skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0018382.ocx Infected: Trojan-Downloader.Win32.VB.cdq skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0018383.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0018384.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0018385.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019351.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019357.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019359.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019360.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019366.ocx Infected: Trojan-Downloader.Win32.VB.cdq skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019367.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019405.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019521.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019526.rbf Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019534.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019535.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\A0019536.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{7936B3D9-8723-4CB0-9131-F8C4BD4463E1}\RP44\change.log Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP179\A0177778.exe Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP209\A0208190.dll Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP241\A0225127.dll Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229348.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229349.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229353.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229356.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229358.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229359.EXE Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229362.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229364.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229369.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP243\A0229370.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP248\A0231518.dll Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP248\A0231522.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP248\A0231525.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236360.dll Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236368.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236369.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236372.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236374.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236375.EXE Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236378.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236380.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236385.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236386.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236393.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236888.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0236891.DLL Object is locked skipped
C:\System Volume Information\_restore{FD172565-C616-4E5B-9973-0C9574D2B567}\RP264\A0237770.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\geede.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:51 PM, on 1/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent .exe
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Smelly Melly\Desktop\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F3 - REG:win.ini: load=C:\WINDOWS\System32\geede.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {91F71D75-A73B-4E3B-8A14-F03557B82B29} (Cax3DPlugin Object) - http://graalonline.com/downloads/plugin/graalplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 4428 bytes

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:59 AM

Posted 27 January 2008 - 04:31 PM

Hello Mushroomhead, I am sorry about the delay. I see that the infection is back on the computer. Lets first set up Recovery Console to make sure we have another solution if something goes on worse.

Go to Microsoft's website => http://www.microsoft.com/downloads/details...C2-631504EF5E26

Click on the Download button. Download the file & save it as it's originally named, next to ComboFix.exe

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Regards,
SNOWHITE
Posted Image

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:59 AM

Posted 10 February 2008 - 03:55 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users