Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Egodktf Toolbar


  • Please log in to reply
1 reply to this topic

#1 fladiver

fladiver

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 21 January 2008 - 03:00 PM

I have egodktf as an available toolbar on my browser view menu. I have successfull removed all the virus' on the computer via "sdfix" however this remnant is leftover. It is not checkmarked so it is not being used.
here is the log from combofix . PLEASE ADVISE



ComboFix 08-01-20.1 - Larry Snyder 2008-01-21 13:47:57.1 - NTFSx86

Running from: C:\Documents and Settings\Larry Snyder\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\stfv.bin

----- Unknown downloads made by BITS: ----
http://softworldnetwork.com
http://216.40.219.141
http://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 13:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 06:41 . 2008-01-21 06:41 <DIR> d-------- C:\WINDOWS\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 19:52 20,529,184 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-21 19:52 1,282,848 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-21 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-21 13:15 274,364 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-21 13:15 121,076 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-19 13:24 --------- d-----w C:\Documents and Settings\Larry Snyder\Application Data\U3
2007-12-23 14:42 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-20 19:49 91,492 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-12-12 23:21 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-07-21 20:43 96,376 ----a-w C:\Documents and Settings\Larry Snyder\Application Data\GDIPFONTCACHEV1.DAT
2007-01-30 19:22 2,180 ----a-w C:\Program Files\uninstal.log
2007-01-25 22:35 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2005-11-02 12:53 31,358,784 ----a-w C:\Program Files\NAV061200_2YR.exe
2003-02-20 17:07 207,759 ----a-w C:\Program Files\INSTALL.LOG
2002-09-12 21:53 22 ----a-w C:\Program Files\Microsoft Publisher XP 2002 Serial_1.zip
2002-09-12 21:53 22 ----a-w C:\Program Files\Microsoft Publisher XP 2002 Serial.zip
2001-11-14 07:54 291,840 ----a-w C:\Documents and Settings\Larry Snyder\Bliss.scr
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65990097-F699-4216-9270-80572B89D23F}]
C:\WINDOWS\dopfwrlgfm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{00C1B214-1408-4F51-90AE-7EDAC2FAC36E}

[HKEY_CLASSES_ROOT\clsid\{00c1b214-1408-4f51-90ae-7edac2fac36e}]
[HKEY_CLASSES_ROOT\egodktf.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{96A4325C-97DD-469A-9A9D-3CCF3DFE52EB}]
[HKEY_CLASSES_ROOT\egodktf.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:42 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53 114688]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"RegistryMechanic"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 18:50 200768]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-link AirPlus G DWL-G120 Wireless USB.lnk]
backup=C:\WINDOWS\pss\D-link AirPlus G DWL-G120 Wireless USB.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet d series) - 1.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet d series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Larry Snyder^Start Menu^Programs^Startup^AdDelete.lnk]
backup=C:\WINDOWS\pss\AdDelete.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Larry Snyder^Start Menu^Programs^Startup^Expedia Fare Alert.lnk]
path=C:\Documents and Settings\Larry Snyder\Start Menu\Programs\Startup\Expedia Fare Alert.lnk
backup=C:\WINDOWS\pss\Expedia Fare Alert.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Larry Snyder^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"Alerter"=3 (0x3)
"VSS"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSDTC"=3 (0x3)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"ClipSrv"=3 (0x3)
"BITS"=2 (0x2)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"lanmanworkstation"=2 (0x2)
"Wmi"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WmiApSrv"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"SENS"=2 (0x2)
"SCardSvr"=3 (0x3)
"ShellHWDetection"=2 (0x2)
"SamSs"=2 (0x2)
"seclogon"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"mnmsrvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"helpsvc"=2 (0x2)
"HidServ"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"CryptSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Bonjour Service"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-01-10 20:09:19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 13:52:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???p???X???????????p???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 13:53:31
ComboFix-quarantined-files.txt 2008-01-21 19:53:09
.
2008-01-14 14:17:36 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 PM

Posted 05 February 2008 - 04:13 PM

Hi fladiver, :thumbsup:

Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

If you still need help please post a new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide for use before posting a HijackThis Log , and I'll be happy to look at it for you.

Thanks for your patience. :blink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users