Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Trojan


  • This topic is locked This topic is locked
26 replies to this topic

#1 elmotodd

elmotodd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 25 January 2008 - 06:10 PM

Because of the absent RPCServer and other problems I attribute to the trojan, I was only able to install and run SpyBot SD of the several you suggested in the prep instructions. I have Mcafee Antivirus, but it will not run since the infection. I have Internet Explorer 7.0 installed, but since the infection it won't run; Windows Media Player and several other programs won't run. My printer disappeared. Anything that does run is extremely slow. Any help is GREATLY appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:52 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?linkid=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {913DC301-80B8-481C-BDAD-F90D0CB8C164} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ckbcfsvc.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: {23bd7362-1742-ac09-a164-a00d0b8f21fc} - {cf12f8b0-d00a-461a-90ca-24712637db32} - C:\WINDOWS\system32\evjyxfvv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - (no file)
O3 - Toolbar: TorrentSeek toolbar - {6bcb43af-a20f-4996-8860-48f511a222db} - C:\Program Files\TorrentSeek\tbTorr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvrem.dll,startup
O4 - HKLM\..\Run: [8c29df0a] rundll32.exe "C:\WINDOWS\system32\blbyareh.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-448539723-1123561945-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199982601343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...211/mcfscan.cab
O20 - Winlogon Notify: ckbcfsvc - C:\WINDOWS\SYSTEM32\ckbcfsvc.dll
O23 - Service: AppMgmt - Apple, Inc. - (no file)
O23 - Service: ASP.NET State Service (aspnet_state) - Apple, Inc. - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McNASvc - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 8672 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 26 January 2008 - 09:10 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I'm not sure this is just Vundo that you're dealing with.

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 28 January 2008 - 10:46 PM

Hi, Sam,

Thanks for your prompt reply to my request for help. I downloaded ComboFix and doubleclicked it and as it began to run, I got this error message:

"Some installation files are corrupt. Please download a fresh copy and retry the installation."

I downloaded and attempted an install twice more, with the same result.

Any suggestions?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 29 January 2008 - 10:22 AM

Right click on combofix.exe and select rename. Rename it to cf.exe
Then double click to run and it should work.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 29 January 2008 - 05:36 PM

I finally got Combofix to run. McAfee Virus App was not running, but some McAfee processes were, and when I killed them, CF ran ok. Log is attached.

ComboFix 08-01-30.1 - Bill 2008-01-29 16:08:02.1 - NTFSx86
Running from: C:\Documents and Settings\Bill\Desktop\cf.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\dxdss.sys
C:\WINDOWS\system32\KernelDrv.exe
C:\Documents and Settings\David.BILL\Application Data\Install.dat
C:\Documents and Settings\WEL.BILL\Application Data\WNSXS~1
C:\Program Files\cas
C:\Program Files\Common Files\windows
C:\Program Files\dns
C:\Program Files\dns\affid.dat
C:\Program Files\dns\regexp.dat
C:\Program Files\dns\regexpDate.dat
C:\Program Files\dns\uid.dat
C:\Program Files\dns\urls.dat
C:\Program Files\dns\version.txt
C:\Program Files\fnts~1
C:\Program Files\Helper
C:\Program Files\SoftwareOnline
C:\WINDOWS\cookies.ini
C:\WINDOWS\gf1002.cnf2
C:\WINDOWS\gf1002.cnf3
C:\WINDOWS\system32\17467.exe
C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\adyghynu.ini
C:\WINDOWS\system32\blbyareh.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\Inr48.sys
C:\WINDOWS\system32\drvremr.dll
C:\WINDOWS\system32\dxdss.sys
C:\WINDOWS\system32\evjyxfvv.dll
C:\WINDOWS\system32\herayblb.ini
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\KernelDrv.exe
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkhyyvev.dll
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\ssqnnnl.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\unyhgyda.dll
C:\WINDOWS\system32\vdhvdpxn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_GB
-------\LEGACY_INR48
-------\LEGACY_LANMANDRV
-------\LEGACY_NM
-------\LEGACY_NPF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\ctl_w32
-------\Inr48
-------\mp32
-------\nm
-------\smtpdrv


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-28 21:03 . 2008-01-29 15:59 <DIR> d-------- C:\ComboFix
2008-01-28 21:03 . 2008-01-29 04:52 521 --a------ C:\Start.bat
2008-01-26 10:56 . 2008-01-26 10:56 206 --a------ C:\WINDOWS\wininit.ini
2008-01-25 16:42 . 2008-01-25 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 16:00 . 2008-01-25 16:00 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\HouseCall 6.6
2008-01-25 15:42 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
2008-01-24 14:00 . 2008-01-25 14:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 13:57 . 2008-01-25 15:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-24 13:10 . 2008-01-24 13:38 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Lavasoft
2008-01-21 16:03 . 2008-01-30 16:16 2,342 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-18 16:36 . 2008-01-20 05:51 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-18 14:46 . 2008-01-18 14:46 103,936 --a------ C:\WINDOWS\system32\drvrem.dll
2008-01-18 14:46 . 2008-01-18 14:59 2 --a------ C:\-1943412827
2008-01-17 16:36 . 2008-01-17 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-16 13:58 . 2008-01-29 07:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:58 . 2008-01-16 13:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 12:44 . 2007-11-07 04:26 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
2008-01-09 12:44 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 16:59 . 2008-01-20 05:51 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-03 21:12 . 2008-01-03 21:12 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\McAfee
2008-01-03 13:51 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-01-03 12:30 . 2007-12-04 15:44 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-12-21 12:51 . 2008-01-10 03:06 21,760 --a------ C:\WINDOWS\Puy50.sys
2007-12-21 12:51 . 2008-01-01 10:18 21,760 --a------ C:\WINDOWS\Puy50(4).sys
2007-12-21 12:51 . 2008-01-01 10:39 21,760 --a------ C:\WINDOWS\Puy50(3).sys
2007-12-21 12:51 . 2008-01-01 16:11 21,760 --a------ C:\WINDOWS\Puy50(2).sys
2007-12-18 19:57 . 2007-12-18 19:57 <DIR> d-------- C:\Program Files\TorrentSeek
2007-12-18 19:47 . 2007-12-18 19:47 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2007-12-11 20:57 . 2007-12-20 12:22 21,760 --a------ C:\WINDOWS\system32\drivers\Puy50.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 18:37 --------- d-----w C:\Program Files\Lavasoft
2008-01-24 00:07 --------- d-----w C:\Program Files\McAfee.com
2008-01-22 17:07 --------- d-----w C:\Program Files\BitTorrent
2008-01-22 05:11 --------- d-----w C:\Program Files\Replay AV 8
2008-01-22 05:10 --------- d-----w C:\Program Files\eMule
2008-01-21 21:00 --------- d-----w C:\Program Files\McAfee
2008-01-21 20:43 --------- d-----w C:\Program Files\XoftSpySE
2008-01-20 10:55 98,304 ----a-w C:\WINDOWS\system32\verifier.exe
2008-01-20 10:55 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
2008-01-20 10:55 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
2008-01-20 10:55 8,192 ----a-w C:\WINDOWS\system32\winhlp32.exe
2008-01-20 10:55 78,336 ----a-w C:\WINDOWS\system32\tlntsess.exe
2008-01-20 10:55 77,824 ----a-w C:\WINDOWS\system32\wmpstub.exe
2008-01-20 10:55 77,824 ----a-w C:\WINDOWS\system32\usrmlnka.exe
2008-01-20 10:55 75,776 ----a-w C:\WINDOWS\system32\telnet.exe
2008-01-20 10:55 73,216 ----a-w C:\WINDOWS\system32\tlntsvr.exe
2008-01-20 10:55 72,192 ----a-w C:\WINDOWS\system32\tasklist.exe
2008-01-20 10:55 72,192 ----a-w C:\WINDOWS\system32\taskkill.exe
2008-01-20 10:55 7,168 ----a-w C:\WINDOWS\system32\updcrl.exe
2008-01-20 10:55 69,632 ----a-w C:\WINDOWS\system32\usrshuta.exe
2008-01-20 10:55 68,096 ----a-w C:\WINDOWS\system32\systeminfo.exe
2008-01-20 10:55 65,536 ----a-w C:\WINDOWS\system32\wextract.exe
2008-01-20 10:55 61,440 ----a-w C:\WINDOWS\system32\usrprbda.exe
2008-01-20 10:55 61,440 ----a-w C:\WINDOWS\system32\tlntadmn.exe
2008-01-20 10:55 51,200 ----a-w C:\WINDOWS\system32\syncapp.exe
2008-01-20 10:55 50,176 ----a-w C:\WINDOWS\system32\utilman.exe
2008-01-20 10:55 5,632 ----a-w C:\WINDOWS\system32\write.exe
2008-01-20 10:55 5,632 ----a-w C:\WINDOWS\system32\winver.exe
2008-01-20 10:55 49,664 ----a-w C:\WINDOWS\system32\w32tm.exe
2008-01-20 10:55 44,544 ----a-w C:\WINDOWS\system32\tscupgrd.exe
2008-01-20 10:55 433,664 ----a-w C:\WINDOWS\system32\wiaacmgr.exe
2008-01-20 10:55 4,096 ----a-w C:\WINDOWS\system32\unlodctr.exe
2008-01-20 10:55 36,864 ----a-w C:\WINDOWS\system32\syskey.exe
2008-01-20 10:55 36,352 ----a-w C:\WINDOWS\system32\typeperf.exe
2008-01-20 10:55 347,136 ----a-w C:\WINDOWS\system32\tourstart.exe
2008-01-20 10:55 33,792 ----a-w C:\WINDOWS\system32\vssadmin.exe
2008-01-20 10:55 32,256 ----a-w C:\WINDOWS\system32\wupdmgr.exe
2008-01-20 10:55 32,256 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2008-01-20 10:55 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2008-01-20 10:55 31,744 ----a-w C:\WINDOWS\system32\tracert6.exe
2008-01-20 10:55 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
2008-01-20 10:55 3,072 ----a-w C:\WINDOWS\system32\systray.exe
2008-01-20 10:55 289,792 ----a-w C:\WINDOWS\system32\vssvc.exe
2008-01-20 10:55 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
2008-01-20 10:55 259,584 ----a-w C:\WINDOWS\system32\tracerpt.exe
2008-01-20 10:55 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-01-20 10:55 19,456 ----a-w C:\WINDOWS\system32\tcpsvcs.exe
2008-01-20 10:55 18,432 ----a-w C:\WINDOWS\system32\ups.exe
2008-01-20 10:55 17,408 ----a-w C:\WINDOWS\system32\wpdshextautoplay.exe
2008-01-20 10:55 16,896 ----a-w C:\WINDOWS\system32\upnpcont.exe
2008-01-20 10:55 16,896 ----a-w C:\WINDOWS\system32\tsshutdn.exe
2008-01-20 10:55 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2008-01-20 10:55 16,384 ----a-w C:\WINDOWS\system32\tskill.exe
2008-01-20 10:55 15,360 ----a-w C:\WINDOWS\system32\taskman.exe
2008-01-20 10:55 146,432 ----a-w C:\WINDOWS\system32\WudfHost.exe
2008-01-20 10:55 14,848 ----a-w C:\WINDOWS\system32\tsdiscon.exe
2008-01-20 10:55 14,848 ----a-w C:\WINDOWS\system32\tscon.exe
2008-01-20 10:55 135,680 ----a-w C:\WINDOWS\system32\taskmgr.exe
2008-01-20 10:55 13,824 ----a-w C:\WINDOWS\system32\wscntfy.exe
2008-01-20 10:55 12,288 ----a-w C:\WINDOWS\system32\tracert.exe
2008-01-20 10:55 12,288 ----a-w C:\WINDOWS\system32\tcmsetup.exe
2008-01-20 10:55 119,808 ----a-w C:\WINDOWS\system32\winmine.exe
2008-01-20 10:55 114,688 ----a-w C:\WINDOWS\system32\wscript.exe
2008-01-20 10:55 11,776 ----a-w C:\WINDOWS\system32\winmsd.exe
2008-01-20 10:55 105,984 ----a-w C:\WINDOWS\system32\sysocmgr.exe
2008-01-20 10:54 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2008-01-20 10:54 9,728 ----a-w C:\WINDOWS\system32\sfc.exe
2008-01-20 10:54 9,728 ----a-w C:\WINDOWS\system32\reset.exe
2008-01-20 10:54 9,216 ----a-w C:\WINDOWS\system32\subst.exe
2008-01-20 10:54 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2008-01-20 10:54 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
2008-01-20 10:54 9,216 ----a-w C:\WINDOWS\system32\print.exe
2008-01-20 10:54 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2008-01-20 10:54 86,016 ----a-r C:\WINDOWS\system32\SM1un.exe
2008-01-20 10:54 8,192 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-01-20 10:54 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2008-01-20 10:54 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2008-01-20 10:54 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
2008-01-20 10:54 77,312 ----a-w C:\WINDOWS\system32\rtcshare.exe
2008-01-20 10:54 73,728 ----a-w C:\WINDOWS\system32\slserv.exe
2008-01-20 10:54 704,512 ----a-w C:\WINDOWS\system32\ss3dfo.scr
2008-01-20 10:54 70,144 ----a-w C:\WINDOWS\system32\sigverif.exe
2008-01-20 10:54 7,168 ----a-w C:\WINDOWS\system32\recover.exe
2008-01-20 10:54 69,632 ----a-w C:\WINDOWS\system32\odbcconf.exe
2008-01-20 10:54 679,936 ----a-w C:\WINDOWS\system32\sstext3d.scr
2008-01-20 10:54 67,584 ----a-w C:\WINDOWS\system32\openfiles.exe
2008-01-20 10:54 67,072 ----a-w C:\WINDOWS\system32\rdshost.exe
2008-01-20 10:54 62,976 ----a-w C:\WINDOWS\system32\rsopprov.exe
2008-01-20 10:54 62,464 ----a-w C:\WINDOWS\system32\rdpclip.exe
2008-01-20 10:54 610,304 ----a-w C:\WINDOWS\system32\sspipes.scr
2008-01-20 10:54 58,368 ----a-w C:\WINDOWS\system32\packager.exe
2008-01-20 10:54 56,832 ----a-w C:\WINDOWS\system32\sol.exe
2008-01-20 10:54 56,832 ----a-w C:\WINDOWS\system32\rasphone.exe
2008-01-20 10:54 538,624 ----a-w C:\WINDOWS\system32\spider.exe
2008-01-20 10:54 50,176 ----a-w C:\WINDOWS\system32\reg.exe
2008-01-20 10:54 50,176 ----a-w C:\WINDOWS\system32\proquota.exe
2008-01-20 10:54 49,152 ----a-w C:\WINDOWS\system32\rsmui.exe
2008-01-20 10:54 49,152 ----a-w C:\WINDOWS\system32\rsm.exe
2008-01-20 10:54 49,152 ----a-w C:\WINDOWS\system32\powercfg.exe
2008-01-20 10:54 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
<pre>
----a-w		 3,865,088 2008-01-22 14:09:35  C:\Program Files\BitTorrent\bittorrent .exe
----a-w		 3,988,480 2008-01-22 14:09:22  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		 3,207,168 2008-01-22 04:49:59  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		 1,694,208 2008-01-20 03:04:53  C:\Program Files\Messenger\msmsgs .exe
----a-w			15,360 2008-01-20 10:51:34  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{913DC301-80B8-481C-BDAD-F90D0CB8C164}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf12f8b0-d00a-461a-90ca-24712637db32}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"="C:\WINDOWS\system32\drvrem.dll" [2008-01-18 14:46 103936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckbcfsvc]
ckbcfsvc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr48.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
--a------ 2008-01-19 21:28 5308416 C:\Program Files\eMule\emule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2008-01-19 21:36 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-19 21:36 49152 c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2008-01-20 06:00 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-19 22:04 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-19 22:15 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2008-01-19 22:27 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2008-01-20 05:24 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"MpfService"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"iPod Service"=3 (0x3)
"hpdj01"=2 (0x2)
"gusvc"=2 (0x2)
"Emproxy"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 21:56:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 06:02:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-03 18:46:41 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-01-22 14:12:37 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-17 17:04:55 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-22 14:12:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-22 14:08:38 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 16:21:38
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2008-01-30 16:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 21:28:42
.
2008-01-11 08:02:20 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 30 January 2008 - 09:05 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Renv::
----a-w		 3,865,088 2008-01-22 14:09:35  C:\Program Files\BitTorrent\bittorrent .exe
----a-w		 3,988,480 2008-01-22 14:09:22  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		 3,207,168 2008-01-22 04:49:59  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		 1,694,208 2008-01-20 03:04:53  C:\Program Files\Messenger\msmsgs .exe
----a-w			15,360 2008-01-20 10:51:34  C:\WINDOWS\system32\ctfmon .exe

File::
C:\WINDOWS\system32\drvrem.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{913DC301-80B8-481C-BDAD-F90D0CB8C164}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf12f8b0-d00a-461a-90ca-24712637db32}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckbcfsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 30 January 2008 - 03:52 PM

Now I'm unable to copy/paste either via ctl0c/ctl-v or right click and copy/paste. Do you have a fix for this so I can run your latest script? I tried the copy/paste on Firefox and IE.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 30 January 2008 - 05:13 PM

Can you try it in safe mode?
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 30 January 2008 - 09:40 PM

Sam,

Sorry to say, copy/paste doe not work in safemode either. If you don't have a ready fix for that problem, is it possible for you to create a cfscript file containing the code, which I can download to run with ComboFix?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 31 January 2008 - 04:25 PM

Here you go.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 February 2008 - 10:13 AM

Sam, I'm sorry this is so much trouble. I received your CFscript file and managed to copy it to notepad and saved to the desktop, BUT, drag/drop isn't working, so I can't run ComboFix with CFscript as you indicated. I can copy and paste in the 2 files I have saved; is there any way to paste them together as one file to run this? By the way, drag/drop also won't work in explorer for the saved files to be run thereby dropping cfscript on ComboFix.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 02 February 2008 - 08:59 AM

Ok, we'll figure this out. :thumbsup:
Make sure you have both Combofix.exe and CFScript saved on your desktop.

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%Userprofile%\Desktop\cf.exe" "C:\Documents and Settings\Bill\Desktop\CFScript.txt"


That should do it. Please post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 February 2008 - 04:33 PM

Sam,

The code you sent worked; Combofix ran and then rebooted. It was preparing a log file when the program window diappeared, and I'm unable to locate ComboFix.txt to send you the log; it's not on the desktop and I'm not able to do searches for files in this crippled system.

Also, CFScript.txt was on the desktop when I began the last run, but it's not there now. Was it supposed to go away when Combofix completed? CF.exe (the renamed ComboFix) is still on the desktop.

Do I need to put CFScript back on the desktop and run the whole thing again?

I tried running the Kapersky Scan, but was unable to download the necessary files. This is a new problem, When I try to download a file, the server connection is reset and the download fails.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:17 PM

Posted 03 February 2008 - 09:57 AM

Let's work with what we have for now. Check here and post this log.

C:\Qoobox\ComboFix-quarantined-files.txt

If you can, run combofix again and post a new log. Also post a new hijackthis log.


Do you have another computer that you would be able to download files with and then transfer them over to the infected machine?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 elmotodd

elmotodd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 04 February 2008 - 12:21 PM

Here is the Combofix-quarantined-files.txt file:

2005-08-12 14:46 139 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\urls.dat.vir
2005-10-20 09:06 2 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\version.txt.vir
2005-10-28 21:50 18 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\affid.dat.vir
2005-10-28 21:50 40 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\uid.dat.vir
2005-10-28 21:56 12 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\regexpDate.dat.vir
2005-10-28 21:56 538 --a--c--- C:\Qoobox\Quarantine\C\Program Files\DNS\regexp.dat.vir
2005-11-04 15:22 2217897 --a--c--- C:\Qoobox\Quarantine\C\Documents and Settings\David.BILL\Application Data\Install.dat.vir
2007-10-11 18:12 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\gf1002.cnf3.vir
2007-10-12 04:01 5 --a------ C:\Qoobox\Quarantine\C\WINDOWS\gf1002.cnf2.vir
2007-12-11 20:57 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ctl_w32.sys.vir
2008-01-17 13:11 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ksvcl.dll.vir
2008-01-17 13:11 606 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kcopt.dll.vir
2008-01-18 14:45 39424 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqnnnl.dll.vir
2008-01-18 14:46 15360 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drvremr.dll.vir
2008-01-19 15:18 76352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vdhvdpxn.dll.vir
2008-01-19 15:21 163904 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mkhyyvev.dll.vir
2008-01-19 15:21 87104 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\unyhgyda.dll.vir
2008-01-20 05:51 42496 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\17467.exe.vir
2008-01-20 05:52 42496 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\KernelDrv.exe.vir
2008-01-20 05:54 280064 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\scchk32.exe.vir
2008-01-20 21:09 1073712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\adyghynu.ini.vir
2008-01-21 11:19 76352 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\evjyxfvv.dll.vir
2008-01-21 11:19 88640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\blbyareh.dll.vir
2008-01-21 14:54 255 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-01-22 12:52 8836 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ttutv.ini.vir
2008-01-22 12:52 8836 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ttutv.ini2.vir
2008-01-25 14:16 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-01-29 16:04 1136777 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\herayblb.ini.vir
2008-01-30 16:13 1034 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CTL_W32.reg.dat
2008-01-30 16:13 1034 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_SMTPDRV.reg.dat
2008-01-30 16:13 1138 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NM.reg.dat
2008-01-30 16:13 1148 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.dat
2008-01-30 16:13 1158 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME2.reg.dat
2008-01-30 16:13 1160 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.dat
2008-01-30 16:13 1178 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_INR48.reg.dat
2008-01-30 16:13 2474 --a------ C:\Qoobox\Quarantine\Registry_backups\services_Inr48.reg.dat
2008-01-30 16:13 2556 --a------ C:\Qoobox\Quarantine\Registry_backups\services_mp32.reg.dat
2008-01-30 16:13 5080 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.dat
2008-01-30 16:13 758 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_GB.reg.dat
2008-01-30 16:13 870 --a------ C:\Qoobox\Quarantine\Registry_backups\services_ctl_w32.reg.dat
2008-01-30 16:13 876 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_LANMANDRV.reg.dat
2008-01-30 16:13 896 --a------ C:\Qoobox\Quarantine\Registry_backups\services_smtpdrv.reg.dat
2008-01-30 16:14 54764 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dxdss.sys.vir
2008-01-30 16:14 584 --a------ C:\Qoobox\Quarantine\catchme.log
2008-01-30 16:14 64820 --a------ C:\Qoobox\Quarantine\catchme2008-01-30_162125.42.zip
2008-01-30 16:15 10701 --a------ C:\Qoobox\Quarantine\C\cf\errdbg.dat.vir
2008-01-30 16:16 25984 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Inr48.sys.vir
2008-01-30 16:19 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\6_exception.nls.vir


Below is the logfile from running ComboFix with CFScript:

ComboFix 08-01-30.1 - Bill 2008-02-04 11:43:41.3 - NTFSx86
Running from: C:\Documents and Settings\Bill\Desktop\cf.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\drvrem.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\drivers\Ejn04.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\drvrem.dll
C:\WINDOWS\system32\drivers\Yei50.sys
C:\WINDOWS\system32\drvrem.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\LEGACY_SMTPDRV
-------\LEGACY_YEI50
-------\smtpdrv
-------\Yei50


-------\LEGACY_EJN04
-------\LEGACY_NPF
-------\Ejn04


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 11:53 . 2008-02-04 11:53 0 --a------ C:\WINDOWS\system32\3_exception.nls
2008-02-01 17:30 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-02-01 17:30 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-02-01 17:30 . 2002-07-17 16:22 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-02-01 17:30 . 2002-07-17 16:22 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-02-01 17:16 . 2008-02-01 17:16 <DIR> d-------- C:\adaptec
2008-01-31 20:58 . 2008-01-31 20:58 1,590,379 --a------ C:\cf.exe
2008-01-31 18:25 . 2008-01-31 18:25 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-28 21:03 . 2008-01-29 15:59 <DIR> d-------- C:\ComboFix
2008-01-26 10:56 . 2008-01-26 10:56 206 --a------ C:\WINDOWS\wininit.ini
2008-01-25 16:42 . 2008-01-25 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 16:00 . 2008-01-25 16:00 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\HouseCall 6.6
2008-01-25 15:42 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\Bill\.housecall6.6
2008-01-24 14:00 . 2008-01-25 14:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 13:57 . 2008-01-25 15:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-24 13:10 . 2008-02-01 17:57 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Lavasoft
2008-01-21 16:03 . 2008-02-04 11:51 2,444 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-18 16:36 . 2008-01-20 05:51 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-18 14:46 . 2008-01-18 14:59 2 --a------ C:\-1943412827
2008-01-17 16:36 . 2008-01-17 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-16 13:58 . 2008-02-04 10:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 13:58 . 2008-01-16 13:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 12:44 . 2007-11-07 04:26 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
2008-01-09 12:44 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 16:59 . 2008-01-20 05:51 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 20:16 --------- d-----w C:\Program Files\BitTorrent
2008-02-01 22:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-31 16:28 --------- d-----w C:\Program Files\XoftSpySE
2008-01-24 00:07 --------- d-----w C:\Program Files\McAfee.com
2008-01-22 05:11 --------- d-----w C:\Program Files\Replay AV 8
2008-01-22 05:10 --------- d-----w C:\Program Files\eMule
2008-01-21 21:00 --------- d-----w C:\Program Files\McAfee
2008-01-20 10:42 99,840 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.exe
2008-01-20 10:42 768,512 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
2008-01-20 10:42 743,936 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2008-01-20 10:42 35,328 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\notiflag.exe
2008-01-20 10:42 18,944 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\hscupd.exe
2008-01-20 10:24 94,208 ----a-r C:\WINDOWS\SM1bg.exe
2008-01-20 10:24 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-20 10:24 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-01-20 10:24 32,768 ----a-w C:\WINDOWS\slrundll.exe
2008-01-20 10:24 306,688 ----a-w C:\WINDOWS\IsUninst.exe
2008-01-20 10:24 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-01-20 10:24 266,240 -c--a-r C:\WINDOWS\SM1nint.exe
2008-01-20 10:24 25,600 -c--a-w C:\WINDOWS\twunk_32.exe
2008-01-20 10:24 18,944 -c--a-w C:\WINDOWS\ALI.EXE
2008-01-20 10:24 15,360 -c--a-w C:\WINDOWS\TASKMAN.EXE
2008-01-20 10:24 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-01-20 10:24 14,848 -c--a-w C:\WINDOWS\MAGIC.EXE
2008-01-20 10:24 10,752 ----a-w C:\WINDOWS\hh.exe
2008-01-20 03:15 --------- d-----w C:\Program Files\QuickTime
2008-01-19 23:53 1,033,216 ----a-w C:\WINDOWS\explorer.exe
2008-01-18 12:54 --------- d-----w C:\Documents and Settings\Bill\Application Data\BitTorrent
2008-01-17 20:37 9,216 ----a-w C:\flashsaver6.dat
2008-01-11 21:19 --------- d-----w C:\Program Files\WM Recorder 10.2
2008-01-10 15:44 --------- d-----w C:\Program Files\DivX
2008-01-10 08:06 21,760 ----a-w C:\WINDOWS\Puy50.sys
2008-01-06 19:27 --------- d-----w C:\Program Files\MegaSpoof
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 02:14 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-01-04 02:12 --------- d-----w C:\Documents and Settings\Bill\Application Data\McAfee
2008-01-03 18:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-01 21:11 21,760 ----a-w C:\WINDOWS\Puy50(2).sys
2008-01-01 15:39 21,760 ----a-w C:\WINDOWS\Puy50(3).sys
2008-01-01 15:18 21,760 ----a-w C:\WINDOWS\Puy50(4).sys
2007-12-20 17:22 21,760 ----a-w C:\WINDOWS\system32\drivers\Puy50.sys
2007-12-19 00:57 --------- d-----w C:\Program Files\TorrentSeek
2007-12-19 00:47 --------- d-----w C:\Program Files\Digital Locker Assistant
2007-12-14 15:20 --------- d-----w C:\Program Files\Microsoft Broadband Networking
2007-12-04 20:44 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-09-24 15:26 27,704 ----a-w C:\Documents and Settings\Bill\Application Data\GDIPFONTCACHEV1.DAT
2005-03-05 02:58 70,472 -c--a-w C:\Documents and Settings\WEL\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 22:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr48.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart]
--a------ 2008-01-19 21:28 5308416 C:\Program Files\eMule\emule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2008-01-19 21:36 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2008-01-19 21:36 49152 c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2008-01-20 06:00 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-19 22:04 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-19 22:15 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2008-01-19 22:27 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-ra------ 2008-01-20 05:24 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"MpfService"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"mcmispupdmgr"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"iPod Service"=3 (0x3)
"hpdj01"=2 (0x2)
"gusvc"=2 (0x2)
"Emproxy"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 21:56:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 06:02:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-03 18:46:41 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-01-22 14:12:37 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-17 17:04:55 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-22 14:12:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-22 14:08:38 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 11:56:23
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2008-02-04 12:03:44 - machine was rebooted [Bill]
ComboFix-quarantined-files.txt 2008-02-04 17:03:39
ComboFix2.txt 2008-01-30 21:28:47
.
2008-01-11 08:02:20 --- E O F ---



Here's a new Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:04 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: TorrentSeek toolbar - {6bcb43af-a20f-4996-8860-48f511a222db} - C:\Program Files\TorrentSeek\tbTorr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199982601343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...211/mcfscan.cab
O23 - Service: AppMgmt - Apple, Inc. - (no file)
O23 - Service: ASP.NET State Service (aspnet_state) - Apple, Inc. - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McNASvc - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 6562 bytes


I do not have another computer to use for downloads, but if it's critical to getting this resolved, I'll try to borrow one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users