Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo!


  • Please log in to reply
3 replies to this topic

#1 hillaryperson

hillaryperson

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 05 February 2008 - 05:22 PM

Hi there, e'erbody. I am new to this site and extremely computer illiterate, so please bear with me. Months ago, our notebook became infected with Outerinfo, which I'm sure you're all accustomed to now. Well, it eventually became the ruin of that laptop and so we bought a new one. And now THAT one is infected. We installed firefox and that seems to keep the pop-ups at bay for the most part. I've also run Avast Antivirus which is, from what I've heard, one of the best programs out there. Well, every time we receive a pop-up, it informs us that there is a new trojan, but none of the options it lists work! I've run Ad-aware, and that won't get rid of anything either. I'm at the end of my rope!! Please help! Here is my HJT log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\system32\YSTEM~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [rrou] C:\PROGRA~1\COMMON~1\rrou\rroum.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\profsyb.html

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 07 February 2008 - 10:52 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum hillaryperson
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 hillaryperson

hillaryperson
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 February 2008 - 02:06 PM

Okay, sorry this has taken so long. Here is the combofix log:

ComboFix 08-02-25.3 - user 2008-02-26 10:51:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.253 [GMT -8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\user\Application Data\WinTouch
C:\Documents and Settings\user\Application Data\WinTouch\wintouch.cfg
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~1\t?skmgr.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\b116.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\afasygdv.ini
C:\WINDOWS\system32\alorevmf.ini
C:\WINDOWS\system32\awtsqoo.dll
C:\WINDOWS\system32\bmpxjfkd.dll
C:\WINDOWS\system32\buoljaur.ini
C:\WINDOWS\system32\cckqboxr.dll
C:\WINDOWS\system32\cjevpgtl.dll
C:\WINDOWS\system32\dhbxxiqi.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\HSFCCNXTT.sys
C:\WINDOWS\system32\dstolsln.dll
C:\WINDOWS\system32\eokewvww.ini
C:\WINDOWS\system32\evqbxkow.ini
C:\WINDOWS\system32\fccddcc.dll
C:\WINDOWS\system32\fdldfutf.ini
C:\WINDOWS\system32\fmrsodhv.ini
C:\WINDOWS\system32\fqgnrjyq.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\heqwifay.dll
C:\WINDOWS\system32\hesntkmk.dll
C:\WINDOWS\system32\hgddcbb.dll
C:\WINDOWS\system32\hrajclvg.ini
C:\WINDOWS\system32\iugnywcm.dll
C:\WINDOWS\system32\iyyasoqs.dll
C:\WINDOWS\system32\jdmvpwcw.dll
C:\WINDOWS\system32\jdrwuscx.dll
C:\WINDOWS\system32\jovtipss.dll
C:\WINDOWS\system32\jufagxqj.dll
C:\WINDOWS\system32\kwrovdgy.ini
C:\WINDOWS\system32\ljjgfcb.dll
C:\WINDOWS\system32\ltwqllaf.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgfcb.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nmpeusky.ini
C:\WINDOWS\system32\npucgjxv.dll
C:\WINDOWS\system32\nwgaiumd.dll
C:\WINDOWS\system32\orbawdbf.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qlbrhtum.ini
C:\WINDOWS\system32\qomljif.dll
C:\WINDOWS\system32\qovhwjda.dll
C:\WINDOWS\system32\qoxxtslq.ini
C:\WINDOWS\system32\qvrhytat.dll
C:\WINDOWS\system32\spqqjcni.dll
C:\WINDOWS\system32\sspitvoj.ini
C:\WINDOWS\system32\ssqppnm.dll
C:\WINDOWS\system32\syqbouhb.dll
C:\WINDOWS\system32\tmsphaki.dll
C:\WINDOWS\system32\tuspnol.dll
C:\WINDOWS\system32\tuvspml.dll
C:\WINDOWS\system32\vhjfmgba.dll
C:\WINDOWS\system32\vtuusrs.dll
C:\WINDOWS\system32\wqccepeu.dll
C:\WINDOWS\system32\yafiwqeh.ini
C:\WINDOWS\system32\ycnxietn.dll
C:\WINDOWS\system32\ydjhylln.dll
C:\WINDOWS\system32\ygdvorwk.dll
C:\WINDOWS\system32\yhudiyme.dll
C:\WINDOWS\system32\yksuepmn.dll
C:\WINDOWS\system32\yspgaahy.ini
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem~1\?ystem\
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HSFCCNXTT
-------\LEGACY_MSUPDATE
-------\LEGACY_NETWORK_MONITOR
-------\HSFCCNXTT
-------\msupdate


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 10:46 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-26 10:45 . 2008-02-26 10:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-26 10:32 . 2008-02-26 10:32 <DIR> d-------- C:\Documents and Settings\user\.SunDownloadManager
2008-02-22 09:04 . 2008-02-22 09:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-22 09:04 . 2008-02-22 09:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-21 21:27 . 2008-02-26 10:40 70,874 --a------ C:\WINDOWS\BM9f2ebfaf.xml
2008-02-21 21:27 . 2008-02-26 10:51 21 --a------ C:\WINDOWS\pskt.ini
2008-02-21 21:10 . 2008-02-21 21:12 <DIR> d-------- C:\Program Files\QuickTime
2008-02-21 21:10 . 2008-02-21 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-21 21:09 . 2008-02-21 21:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-21 21:09 . 2008-02-21 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-20 00:34 . 2008-02-20 00:34 125,440 --a------ C:\WINDOWS\system32\msupdtck.exe
2008-02-20 00:34 . 2008-02-20 00:34 6,144 --a------ C:\Documents and Settings\user\Application Data\msvcrit.dll
2008-02-20 00:33 . 2008-02-20 00:33 13,312 --a------ C:\Documents and Settings\user\p4ck.exe
2008-02-20 00:33 . 2008-02-24 02:02 6,144 --a------ C:\WINDOWS\system32\msvcrit.dll
2008-02-16 18:02 . 2008-02-16 18:02 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-02-16 18:02 . 2008-02-16 18:02 30,515 --a------ C:\WINDOWS\War3Unin.dat
2008-02-16 18:02 . 2008-02-16 18:02 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-02-16 16:57 . 2008-02-16 17:04 <DIR> d-------- C:\Program Files\Warcraft III
2008-02-16 08:19 . 2008-02-16 08:19 31 --a------ C:\WINDOWS\bluevoda.ini
2008-02-15 17:17 . 2008-02-15 17:17 <DIR> d-------- C:\Program Files\BlueVoda Website Builder
2008-02-15 17:17 . 2008-02-15 17:17 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-02-14 21:03 . 2008-02-23 18:05 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-02-14 13:29 . 2008-02-14 13:29 <DIR> d-------- C:\Program Files\EwisoftWeb
2008-02-14 13:29 . 2008-02-14 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EwisoftWeb
2008-02-14 13:25 . 2008-02-14 13:25 <DIR> d-------- C:\Slashstone
2008-02-13 23:25 . 2008-02-13 23:25 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-13 23:00 . 2008-02-13 23:00 2,890 --a------ C:\welcome.html
2008-02-10 02:33 . 2008-02-10 02:33 <DIR> d-------- C:\Documents and Settings\user\Application Data\Flickr
2008-02-10 02:32 . 2008-02-11 22:14 <DIR> d-------- C:\Program Files\Flickr Uploadr
2008-02-09 04:25 . 2008-02-09 04:25 <DIR> d-------- C:\WPIR
2008-02-09 04:15 . 1996-07-18 13:06 297,472 --a------ C:\WINDOWS\uninst.exe
2008-02-09 04:12 . 2008-02-09 04:12 <DIR> d-------- C:\GAMES
2008-02-09 00:23 . 2008-02-09 00:23 <DIR> d-------- C:\WINDOWS\A3W_DATA
2008-02-09 00:23 . 2008-02-09 00:23 <DIR> d-------- C:\Documents and Settings\user\WINDOWS
2008-02-08 13:31 . 2007-01-16 20:10 25,088 --a------ C:\WINDOWS\system32\mssrv32.exe
2008-02-08 13:21 . 2008-02-08 13:31 <DIR> d-------- C:\Program Files\FriendBlasterPro
2008-02-08 13:21 . 2005-07-15 12:49 245,760 --a------ C:\WINDOWS\system32\aUpdateNow.ocx
2008-02-08 13:21 . 2000-05-22 00:00 140,488 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-02-08 13:21 . 2000-07-15 00:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-02-07 23:51 . 2008-02-07 23:51 <DIR> d-------- C:\Program Files\LimeWire
2008-02-07 23:51 . 2008-02-14 09:29 <DIR> d-------- C:\Documents and Settings\user\Application Data\LimeWire
2008-02-06 18:00 . 2008-02-06 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-06 15:33 . 2008-02-06 15:33 <DIR> d-------- C:\Program Files\Bonjour
2008-02-06 15:18 . 2008-02-06 15:18 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-06 14:53 . 2008-02-13 23:17 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-06 14:03 . 2008-02-06 14:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\Jasc Software Inc
2008-02-06 14:01 . 2008-02-06 14:03 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-02-05 13:33 . 2008-02-05 14:21 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-02-05 13:32 . 2008-02-05 13:32 <DIR> d-------- C:\WINDOWS\Sun
2008-02-05 13:17 . 2008-02-05 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 12:20 . 2008-02-26 10:46 <DIR> d-------- C:\Program Files\Java
2008-02-05 12:20 . 2008-02-05 12:20 90,688 --a------ C:\WINDOWS\system32\selsolrn.dll
2008-02-05 12:15 . 2008-02-05 12:15 40,960 --a------ C:\WINDOWS\system32\fadgsd.exe
2008-02-05 12:15 . 2008-02-05 12:15 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-05 11:01 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-05 11:01 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-05 11:01 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-05 11:00 . 2008-02-05 11:00 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-05 11:00 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-02-05 11:00 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-05 11:00 . 2003-03-18 11:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-02-05 11:00 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-05 11:00 . 2003-02-20 19:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-02-05 11:00 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-05 11:00 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-05 11:00 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-05 10:48 . 2008-02-05 10:48 <DIR> d-------- C:\WINDOWS\rrou
2008-02-05 10:48 . 2008-02-05 11:07 <DIR> d-------- C:\Program Files\Common Files\rrou
2008-02-05 10:40 . 2008-02-05 10:40 372 --ah----- C:\aaw7boot.cmd
2008-02-05 10:40 . 2008-02-05 10:40 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-05 10:40 . 2008-02-05 10:40 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-05 10:37 . 2008-02-05 10:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-05 10:37 . 2008-02-05 10:37 50,176 --a------ C:\WINDOWS\system32\ssymman.dll
2008-02-03 00:27 . 2008-02-05 12:21 1,279 --a------ C:\WINDOWS\mozver.dat
2008-02-02 19:03 . 2008-02-02 19:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-02 17:23 . 2008-02-02 18:31 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-02 17:22 . 2008-02-05 10:40 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-02 17:22 . 2008-02-02 17:36 <DIR> d-------- C:\WINDOWS\system32\rom1
2008-02-02 17:22 . 2008-02-05 10:40 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-02 17:22 . 2008-02-05 11:10 <DIR> d--hs---- C:\WINDOWS\dXNlcg
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- C:\Temp\gTiis19
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- C:\Temp\cXzz9
2008-02-02 17:22 . 2008-02-26 10:51 <DIR> d-------- C:\Temp
2008-02-02 13:26 . 2008-02-02 13:26 1,409 --a------ C:\WINDOWS\system32\tmpD878D.FOT
2008-02-02 11:12 . 2008-02-02 11:12 1,409 --a------ C:\WINDOWS\system32\tmp3F4EB.FOT
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmpE522E.FOT
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmpDA72E.FOT
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmp8632E.FOT
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmp6D82E.FOT
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmp6562E.FOT
2008-01-31 19:09 . 2008-01-31 19:09 1,409 --a------ C:\WINDOWS\system32\tmp2792E.FOT
2008-01-31 19:08 . 2008-01-31 19:08 1,409 --a------ C:\WINDOWS\system32\tmpE4B1D.FOT
2008-01-31 09:32 . 2008-01-31 09:32 1,409 --a------ C:\WINDOWS\system32\tmpF9586.FOT
2008-01-31 09:32 . 2008-01-31 09:32 1,409 --a------ C:\WINDOWS\system32\tmpC7386.FOT
2008-01-31 09:32 . 2008-01-31 09:32 1,409 --a------ C:\WINDOWS\system32\tmpC0686.FOT
2008-01-31 09:32 . 2008-01-31 09:32 1,409 --a------ C:\WINDOWS\system32\tmp97686.FOT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 06:28 --------- d-----w C:\Documents and Settings\user\Application Data\Sonic
2008-02-05 18:38 10 ----a-w C:\Program Files\.autoreg
2008-01-31 17:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2005-07-30 00:24 472 --sha-r C:\WINDOWS\dXNlcg\xrh5w0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{016061A4-604A-495C-B9A5-C48F5EC872F1}]
C:\Program Files\Internet Explorer\hokesodul83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1231B9CB-712F-2DA0-5161-2B00B9CC8FCB}]
C:\WINDOWS\system32\ahd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{221BBF54-3327-4548-9006-84385B1A5840}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D32F3FC-D643-4979-ACC5-F08C9E185253}]
C:\Program Files\Internet Explorer\hokesodul4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53834DC5-F44C-4BBD-FAB1-CA04BF835492}]
C:\Program Files\Online Services\lavum976.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\profsyb.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 21:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ltwqllaf]
ltwqllaf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c1d8c33]
C:\WINDOWS\system32\ftufdldf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 05:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f2ebfaf]
C:\WINDOWS\system32\jdrwuscx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssfhern]
C:\Program Files\Common Files\?asks\t?skmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\user\LOCALS~1\Temp\2008126171112_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-07-19 17:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-19 17:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-19 17:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-07-22 21:47 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-07-22 21:46 401408 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\user\LOCALS~1\Temp\2008126171112_mcinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mssdbsrv]
--a------ 2008-02-20 00:34 125440 C:\WINDOWS\system32\msupdtck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rrou]
C:\PROGRA~1\COMMON~1\rrou\rroum.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
C:\WINDOWS\system32\YSTEM~1\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\user\\My Documents\\Downloads\\Classic Games\\Atlantis\\Warcraft III\\Warcraft III.exe"=
"C:\\Documents and Settings\\user\\My Documents\\Downloads\\Classic Games\\Atlantis\\Warcraft III\\War3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 07:15:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 10:58:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-26 11:00:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 19:00:42





And here is the highjack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:02 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {016061A4-604A-495C-B9A5-C48F5EC872F1} - C:\Program Files\Internet Explorer\hokesodul83122.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1231B9CB-712F-2DA0-5161-2B00B9CC8FCB} - C:\WINDOWS\system32\ahd.dll (file missing)
O2 - BHO: Google Module - {221BBF54-3327-4548-9006-84385B1A5840} - rtypiclor.dll (file missing)
O2 - BHO: (no name) - {3D32F3FC-D643-4979-ACC5-F08C9E185253} - C:\Program Files\Internet Explorer\hokesodul4444.dll (file missing)
O2 - BHO: 0 - {53834DC5-F44C-4BBD-FAB1-CA04BF835492} - C:\Program Files\Online Services\lavum976.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O20 - Winlogon Notify: ltwqllaf - ltwqllaf.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\profsyb.html

--
End of file - 4420 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 01 March 2008 - 09:43 AM

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\BM9f2ebfaf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\msupdtck.exe
C:\Documents and Settings\user\p4ck.exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\selsolrn.dll
C:\WINDOWS\system32\fadgsd.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\ssymman.dll
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\tmpD878D.FOT
C:\WINDOWS\system32\tmp3F4EB.FOT
C:\WINDOWS\system32\tmpE522E.FOT
C:\WINDOWS\system32\tmpDA72E.FOT
C:\WINDOWS\system32\tmp8632E.FOT
C:\WINDOWS\system32\tmp6D82E.FOT
C:\WINDOWS\system32\tmp6562E.FOT
C:\WINDOWS\system32\tmp2792E.FOT
C:\WINDOWS\system32\tmpE4B1D.FOT
C:\WINDOWS\system32\tmpF9586.FOT
C:\WINDOWS\system32\tmpC7386.FOT
C:\WINDOWS\system32\tmpC0686.FOT
C:\WINDOWS\system32\tmp97686.FOT
Folder::
C:\WINDOWS\rrou
C:\Program Files\Common Files\rrou
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\rom1
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\WINDOWS\dXNlcg
C:\Temp\gTiis19
C:\Temp\cXzz9
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{016061A4-604A-495C-B9A5-C48F5EC872F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1231B9CB-712F-2DA0-5161-2B00B9CC8FCB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{221BBF54-3327-4548-9006-84385B1A5840}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D32F3FC-D643-4979-ACC5-F08C9E185253}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53834DC5-F44C-4BBD-FAB1-CA04BF835492}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ltwqllaf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c1d8c33]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM9f2ebfaf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssfhern]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mssdbsrv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rrou]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users