Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Virtumone And Smitfraud


  • Please log in to reply
11 replies to this topic

#1 ecamar

ecamar

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 10 February 2008 - 08:00 PM

Need help doing the final cleanup. I ran combofix and this is my most recent HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:15 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/cci/home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24C61C09-62C0-42ED-B640-53F7FEC9098A} - (no file)
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6234C590-077C-2F8F-0662-5C00B6BA81B4} - (no file)
O2 - BHO: (no name) - {6835E1B5-3150-42DD-91B3-DAF70341A536} - C:\WINDOWS\system32\gebcc.dll (file missing)
O2 - BHO: (no name) - {777F6953-3707-4E1E-AAA7-CC8DB6C831BB} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {92C59415-2E4B-407D-B376-9FC06DD551A3} - (no file)
O2 - BHO: (no name) - {99DFF043-A0A6-4A25-8437-6B4E271EA961} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C03F8E2C-665E-4DE3-9B3C-23C8CE428AB6} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {C2E073C8-EEFC-49F3-A8E3-33059D52E0BB} - (no file)
O2 - BHO: (no name) - {DAB4F89B-27F4-4939-A5A7-237CB100B440} - C:\WINDOWS\system32\awtss.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [D6D6D7DEDBE1DCE0D] 888889908D938E9.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Osru] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [Fohi] "C:\Program Files\Common Files\?icrosoft.NET\?ervices.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154921219328
O16 - DPF: {6E48946B-934D-47F5-865E-546711F2D423} (Citrix AGE LiveEdit Transport) - https://remote.sdcda.org/CitrixFEI/Cabs/ERALiveEdit.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O20 - AppInit_DLLs: 37.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

--
End of file - 10274 bytes

BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 12 February 2008 - 05:02 AM

Hi and welcome,

Please also post this log:

C:\combofix.txt

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 ecamar

ecamar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 12 February 2008 - 08:35 PM

Thanks. Here is the combofix log.

ComboFix 08-02.05.3 - Owner 2008-02-09 19:26:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.273 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 09:01 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-07 23:05 . 2008-02-07 23:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 19:06 . 2008-02-07 19:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 19:06 . 2008-02-07 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 18:41 . 2008-02-07 18:41 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-06 21:07 . 2008-02-06 21:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-06 21:07 . 2008-02-06 21:07 3,452 --a------ C:\WINDOWS\unins000.dat
2008-02-05 23:29 . 2008-02-05 23:29 <DIR> d-------- C:\WINDOWS\system32\E6E6E7EEEBF1ECF
2008-02-05 23:29 . 2007-12-14 04:40 120,832 --a------ C:\WINDOWS\system32\888889908D938E9.exe
2008-02-05 18:44 . 2008-02-05 18:44 128 --a------ C:\Documents and Settings\Owner\services.exe
2008-02-04 22:55 . 2008-02-04 22:55 <DIR> d-------- C:\Program Files\ManDel Dev
2008-02-04 22:49 . 2008-02-05 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-04 22:45 . 2008-02-04 22:45 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-04 22:42 . 2008-02-04 22:42 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-04 22:42 . 2008-02-04 22:42 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
2008-02-04 22:42 . 2008-02-04 22:42 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-04 22:42 . 2008-02-04 22:42 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-04 22:42 . 2008-02-04 22:42 <DIR> d-------- C:\WINDOWS\system32\hs9
2008-02-04 22:42 . 2008-02-04 22:45 <DIR> d-------- C:\Program Files\RABCO
2008-02-04 22:42 . 2008-02-04 22:42 36,864 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-01-13 23:13 . 2008-01-21 22:07 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-11 00:08 . 2008-02-07 18:40 <DIR> d-------- C:\VundoFix Backups
2008-01-10 21:06 . 2008-01-10 21:06 <DIR> d-------- C:\Program Files\CleanUp!
2008-01-10 00:30 . 2007-11-07 01:26 721,920 --a------ C:\WINDOWS\system32\lsasrv.dll
2008-01-10 00:30 . 2007-10-30 09:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 02:45 --------- d-----w C:\Program Files\Lx_cats
2008-02-10 02:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 05:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 04:41 3,832 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-06 06:59 10 ----a-w C:\Program Files\.autoreg
2008-02-06 02:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-06 02:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 07:12 --------- d-----w C:\Program Files\Replay AV 8
2008-02-03 20:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-03 20:40 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-11 07:14 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 07:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-11 06:54 --------- d-----w C:\Program Files\Nero
2008-01-07 14:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-01-07 07:42 --------- d-----w C:\Program Files\Setup Files
2008-01-07 07:40 --------- d-----w C:\Program Files\MSI
2008-01-07 07:35 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-01-07 07:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-01-07 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-20 05:44 --------- d-----w C:\Program Files\Eraser
2007-12-18 05:11 --------- d-----w C:\Program Files\Microsoft DirectX SDK (February 2007)
2007-12-18 05:11 --------- d-----w C:\Program Files\Common Files\aliaswavefront shared
2007-12-18 05:11 --------- d-----w C:\Program Files\Common Files\Alias Shared
2007-12-11 05:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2007-12-11 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-12-11 05:31 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-12-08 00:41 86,016 ----a-w C:\WINDOWS\system32\Erasext.dll
2007-12-08 00:37 77,824 ----a-w C:\WINDOWS\system32\Eraserl.exe
2007-12-08 00:37 311,296 ----a-w C:\WINDOWS\system32\Eraser.dll
2007-11-17 04:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-30 06:28 39,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 07:06 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-29 07:06 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-29 07:06 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-29 07:06 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-29 07:06 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-29 07:06 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-29 07:06 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-29 07:06 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-29 07:06 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2007-11-08 02:57 423,842 --sha-w C:\WINDOWS\system32\xyadd.bak2
2007-11-08 09:14 435,249 --sha-w C:\WINDOWS\system32\xyadd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6234C590-077C-2F8F-0662-5C00B6BA81B4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6835E1B5-3150-42DD-91B3-DAF70341A536}]
C:\WINDOWS\system32\gebcc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{777F6953-3707-4E1E-AAA7-CC8DB6C831BB}]
C:\WINDOWS\system32\jkkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92C59415-2E4B-407D-B376-9FC06DD551A3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DFF043-A0A6-4A25-8437-6B4E271EA961}]
C:\WINDOWS\system32\gebcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03F8E2C-665E-4DE3-9B3C-23C8CE428AB6}]
C:\WINDOWS\system32\mljgd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2E073C8-EEFC-49F3-A8E3-33059D52E0BB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAB4F89B-27F4-4939-A5A7-237CB100B440}]
C:\WINDOWS\system32\awtss.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2006-10-31 21:25 26624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"ATI Launchpad"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 21:24 57344]
"P2kAutostart"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-04 22:45 61440]
"Osru"="C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\logonui.exe" [ ]
"Fohi"="C:\Program Files\Common Files\?icrosoft.NET\?ervices.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"POINTER"="point32.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 15:26 406016]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-20 17:04 155648]
"PCLEPCI"="C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" [2003-09-23 10:04 32768]
"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2005-09-30 09:47 200704]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 07:05 94208]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-02-24 13:05 73728]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"D6D6D7DEDBE1DCE0D"="888889908D938E9.exe" [2007-12-14 04:40 120832 C:\WINDOWS\system32\888889908D938E9.exe]
"482732dc"="C:\WINDOWS\system32\oisuankm.dll" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-04 22:42:23 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56 217194]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=37.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
R2 WebDriveFSD;WebDrive File System Driver;C:\Program Files\WebDrive\rffsd.sys [2004-04-23 14:10]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]
R3 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2005-10-24 04:33]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 14:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 18:33]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 14:18]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a0c598-74df-11d8-9dca-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99B782AF-0B9A-4FB5-BDD1-D83F4B6218BA}]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AD88BEC6-2BE4-4E8A-A47F-DD87FA67A2A7}]
"%SystemRoot%\twain_32.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 19:32:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RFHelper.dll
.
Completion time: 2008-02-09 19:33:12
ComboFix-quarantined-files.txt 2008-02-10 03:32:51
ComboFix2.txt 2008-02-09 17:26:47
.
2008-02-09 01:34:27 --- E O F ---

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 13 February 2008 - 04:06 AM

Hi,

Open notepad and copy the following text to it:

file::
C:\WINDOWS\system32\888889908D938E9.exe
C:\Documents and Settings\Owner\services.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\RABCO - Auto Update.lnk

folder::
C:\Program Files\RABCO
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Drmupgds
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\hs9
C:\WINDOWS\system32\E6E6E7EEEBF1ECF

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6234C590-077C-2F8F-0662-5C00B6BA81B4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6835E1B5-3150-42DD-91B3-DAF70341A536}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{777F6953-3707-4E1E-AAA7-CC8DB6C831BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92C59415-2E4B-407D-B376-9FC06DD551A3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DFF043-A0A6-4A25-8437-6B4E271EA961}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03F8E2C-665E-4DE3-9B3C-23C8CE428AB6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2E073C8-EEFC-49F3-A8E3-33059D52E0BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAB4F89B-27F4-4939-A5A7-237CB100B440}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Drmupgds"=-
"Osru"=-
"Fohi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D6D6D7DEDBE1DCE0D"=-
"482732dc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a0c598-74df-11d8-9dca-806d6172696f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99B782AF-0B9A-4FB5-BDD1-D83F4B6218BA}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AD88BEC6-2BE4-4E8A-A47F-DD87FA67A2A7}]

dirlook::
C:\Program Files\ManDel Dev

Save the file as CFScript.txt to your desktop.

Close all running programs including antimalware.
Disconnect from internet.

Drag CFScript.txt on top of ComboFix.exe

Post the new ComboFix.txt please.

note:
Do not click on combofix window while it is running or it may stall.

Let me know how machine is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 ecamar

ecamar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 13 February 2008 - 09:04 PM

Thank you so much!! It starts up so much faster. I'm getting overall better performance. Some of those weird processes are no longer there.

Here it is:

ComboFix 08-02.05.3 - Owner 2008-02-13 17:39:42.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.182 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Owner\services.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\888889908D938E9.exe
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Owner\services.exe
C:\Program Files\Drmupgds
C:\Program Files\Drmupgds\Drmupgds.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\888889908D938E9.exe
C:\WINDOWS\system32\E6E6E7EEEBF1ECF
C:\WINDOWS\system32\E6E6E7EEEBF1ECF\1E1E1F262329242
C:\WINDOWS\system32\hs9
C:\WINDOWS\system32\hs9\corab2130.exe
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\kps5\covstadcom7.exe
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\lis6\lenamd83122.exe
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-12 17:09 . 2008-02-12 17:09 <DIR> d-------- C:\Program Files\Viewpoint
2008-02-12 17:09 . 2008-02-12 17:09 <DIR> d-------- C:\Program Files\Shareaza
2008-02-12 17:08 . 2008-02-12 17:08 <DIR> d-------- C:\Program Files\ItsDeductible2006
2008-02-11 22:51 . 2008-02-11 22:51 <DIR> d-------- C:\Program Files\Java
2008-02-11 22:50 . 2008-02-11 22:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-09 19:25 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-07 23:05 . 2008-02-07 23:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 19:06 . 2008-02-07 19:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 19:06 . 2008-02-07 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 18:41 . 2008-02-07 18:41 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-06 21:07 . 2008-02-06 21:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-06 21:07 . 2008-02-06 21:07 3,452 --a------ C:\WINDOWS\unins000.dat
2008-02-04 22:55 . 2008-02-04 22:55 <DIR> d-------- C:\Program Files\ManDel Dev

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 18:55 --------- d-----w C:\Program Files\Lx_cats
2008-02-13 01:08 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-12 03:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2008-02-12 03:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 03:15 --------- d-----w C:\Program Files\TurboTax
2008-02-10 02:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-02-07 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 05:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 04:41 3,832 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-06 06:59 10 ----a-w C:\Program Files\.autoreg
2008-02-06 02:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-06 02:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 07:12 --------- d-----w C:\Program Files\Replay AV 8
2008-02-03 20:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-03 20:40 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-11 07:14 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-11 07:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-11 06:54 --------- d-----w C:\Program Files\Nero
2008-01-07 14:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-01-07 07:42 --------- d-----w C:\Program Files\Setup Files
2008-01-07 07:40 --------- d-----w C:\Program Files\MSI
2008-01-07 07:35 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-01-07 07:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio
2008-01-07 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 05:11 --------- d-----w C:\Program Files\Microsoft DirectX SDK (February 2007)
2007-12-18 05:11 --------- d-----w C:\Program Files\Common Files\aliaswavefront shared
2007-12-18 05:11 --------- d-----w C:\Program Files\Common Files\Alias Shared
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-17 04:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-08-30 06:28 39,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 07:06 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-08-29 07:06 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-08-29 07:06 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-08-29 07:06 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-08-29 07:06 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-08-29 07:06 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-08-29 07:06 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-08-29 07:06 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-08-29 07:06 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\ManDel Dev ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2006-10-31 21:25 26624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"ATI Launchpad"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 21:24 57344]
"P2kAutostart"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"POINTER"="point32.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 15:26 406016]
"PCTVOICE"="pctspk.exe" [2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-20 17:04 155648]
"PCLEPCI"="C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" [2003-09-23 10:04 32768]
"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2005-09-30 09:47 200704]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2005-08-01 07:05 94208]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-02-24 13:05 73728]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [ ]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 20:37:56 217194]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 15:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
R2 WebDriveFSD;WebDrive File System Driver;C:\Program Files\WebDrive\rffsd.sys [2004-04-23 14:10]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]
R3 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2005-10-24 04:33]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2006-11-28 22:46]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 14:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 18:33]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 14:18]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 17:44:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RFHelper.dll
.
Completion time: 2008-02-13 17:45:07
ComboFix-quarantined-files.txt 2008-02-14 01:44:41
ComboFix2.txt 2008-02-10 03:33:13
ComboFix3.txt 2008-02-09 17:26:47
.
2008-02-13 22:05:03 --- E O F ---

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 14 February 2008 - 08:18 AM

Hi,

Sure does look better :blink:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
    http://i266.photobucket.com/albums/ii277/s...Kas-Savetxt.gif
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

*note3
Don't be alarmed at the malware kaspersky finds in c:\qoobox --- these are the backups Combofix created.
We'll clean that up last.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 ecamar

ecamar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 15 February 2008 - 01:04 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 9:58:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 567256
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 122500
Number of viruses found: 32
Number of infected objects: 137
Number of suspicious objects: 0
Duration of the scan process: 02:01:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Authentium\ESPC\prf\imdb.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService16.zip/core.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip/gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip/gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll10.zip/mljgd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip/gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip/gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip/gebcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip/jkkjg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip/jkkjg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip/gebcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll8.zip/awtss.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll9.zip/awtss.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/svchost.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rayiou.exe Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4253870d-60c917b5.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-2e9ce3cf.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{22FAA1DC-E33D-4FB4-886D-8B3F8E9FEDCF}\Microsoft\Outlook Express\Sent Items.dbx/[From "DDA Enrique Camarena" <ddacamarena@cox.net>][Date Sat, 22 May 2004 20:19:07 -0700]/UNNAMED/eBook Infected: Trojan-Dropper.Win32.Delf.de skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{22FAA1DC-E33D-4FB4-886D-8B3F8E9FEDCF}\Microsoft\Outlook Express\Sent Items.dbx/[From "DDA Enrique Camarena" <ddacamarena@cox.net>][Date Sat, 22 May 2004 20:19:07 -0700]/UNNAMED Infected: Trojan-Dropper.Win32.Delf.de skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{22FAA1DC-E33D-4FB4-886D-8B3F8E9FEDCF}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF59C1.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5AFD.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFF8E0.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Owner\My Documents\ICROSO~1\logonui.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\ICROSO~1.NET\ѕervices.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\Program Files\Drmupgds\Drmupgds.exe.vir Infected: Trojan-Downloader.Win32.Adload.qy skipped
C:\QooBox\Quarantine\C\Program Files\Insider\Insider.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan-Downloader.Win32.Agent.ipm skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\meqosatic4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\meqosatic455101.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\meqosatic83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\QooBox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir Infected: Trojan.Win32.Agent.cmn skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.vir Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\888889908D938E9.exe.vir Infected: Trojan-Downloader.Win32.VB.chy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aetdfnak.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aqockntm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bcwghcvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khfeebb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gel skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lis6\lenamd83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lis6\lenamd83122.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx18\nGpxx182328.exe.vir Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\QooBox\Quarantine\catchme2008-02-09_ 91735.18.zip/Css-Dvpp.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-09_ 91735.18.zip/awtsr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-09_ 91735.18.zip/WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\QooBox\Quarantine\catchme2008-02-09_ 91735.18.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0111516.exe Infected: Trojan-Downloader.Win32.VB.bru skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0111554.exe Infected: Trojan-Downloader.Win32.VB.bru skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0111556.exe Infected: not-a-virus:PSWTool.Win32.ProtectStorage.b skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0111577.exe Infected: Trojan-Downloader.Win32.VB.bru skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0111591.exe Infected: Trojan-Downloader.Win32.VB.bru skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP320\A0112634.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112853.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112855.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112856.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112857.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112858.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP321\A0112859.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP357\A0133848.exe Infected: not-a-virus:PSWTool.Win32.ProtectStorage.b skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP382\A0152906.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP382\A0152910.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP385\A0153664.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP385\A0153682.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP385\A0153682.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP385\A0153682.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP406\A0160230.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP407\A0160500.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP407\A0162503.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP407\A0162503.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP407\A0162505.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0162687.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163699.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163703.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163703.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163704.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163706.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163707.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163709.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163710.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP408\A0163711.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gel skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP420\A0164365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP420\A0164376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP420\A0164386.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP420\A0164410.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP420\A0165437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167065.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167066.exe Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167068.exe Infected: Trojan-Downloader.Win32.Agent.ipm skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167069.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167070.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167071.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167072.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167073.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167074.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167075.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167077.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167078.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167079.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167080.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gel skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP423\A0167097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP431\A0171065.exe Infected: Trojan-Downloader.Win32.Adload.qy skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP431\A0171068.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP431\A0171068.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP431\A0171069.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP431\A0171071.exe Infected: Trojan-Downloader.Win32.VB.chy skipped
C:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP432\change.log Object is locked skipped
C:\VundoFix Backups\cwigjjyx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ewkotvew.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\gebcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\khfeebb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gel skipped
C:\VundoFix Backups\lcxgjxvh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\oisuankm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\pccrktxk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\tuvwxuv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gel skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{AAE2AB3E-D15E-4A13-A264-1185A0DC0C48}\RP432\change.log Object is locked skipped

Scan process completed.

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 16 February 2008 - 04:00 AM

Hi,

Looks like we got most of it.
Most is in the tool's quarentine and system restore.
We'll get system restore last.

Open Spybot Search & Destroy and empty out the "recovery".

Open Outlook express and empty out the "sent items" folder.

Copy the following text to a new notepad file.

del "C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rayiou.exe"
del "C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4253870d-60c917b5.class"
del "C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-2e9ce3cf.class"
del "C:\WINDOWS\Downloaded Program Files\gsda.dll"

Save file as clean.bat as file types: All files and save it to the desktop.

Once saved, close any open browser windows then double click "clean.bat"
A "dos" window will flash up and be gone. This is normal.
That deleted the files Kaspersky flagged.

Delete SmitFraudFix.exe and its folder off the desktop.

Click Start> run> type combofix /u and hit enter.
This uninstalls combofix and removes the files/folders it dropped along with a few other tools we used.
It resets system restore and creates a fresh restore point.

Reboot when done this and post a fresh hijackthis log please.

let me know how the system is behaving.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 ecamar

ecamar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 February 2008 - 02:31 PM

It is running much better. The popups are gone. Here is the latest HJT log. Thank you so much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:15 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\devldr32.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/cci/home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Osru] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\logonui.exe" -vt yazb
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154921219328
O16 - DPF: {6E48946B-934D-47F5-865E-546711F2D423} (Citrix AGE LiveEdit Transport) - https://remote.sdcda.org/CitrixFEI/Cabs/ERALiveEdit.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

--
End of file - 9122 bytes

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 16 February 2008 - 03:15 PM

Hi,

I think TeaTimer put some bad registry entries back --
I don't see the baddies running though -- so just a few registry entries to re-fix.

Uninstall Spybot S & D and reboot. (if it asks about removing settings say OK)
You can re-install it when clean.

Open Hijackthis
Run system scan and check:

O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Osru] "C:\DOCUME~1\Owner\MYDOCU~1\ICROSO~1\logonui.exe" -vt yazb
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Close all open windows and hit "fix checked"

Post one more Hijackthis please.
Wait for the 'all clear" before installing Spybot again please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 ecamar

ecamar
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 February 2008 - 05:49 PM

Here we go. Spybot uninstalled. Looks like their gone.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:14 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Cox\Applications\app\Console.exe
c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/cci/home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154921219328
O16 - DPF: {6E48946B-934D-47F5-865E-546711F2D423} (Citrix AGE LiveEdit Transport) - https://remote.sdcda.org/CitrixFEI/Cabs/ERALiveEdit.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

--
End of file - 8481 bytes

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:24 PM

Posted 17 February 2008 - 04:35 AM

Hi,

Looks good.

Your Acrobat reader needs updating though and shoyuld check Quicktime as well.
both have security issues with old versions.

Best to uninstall old versions then reboot and install the new.

Read the installer pages and uncheck any unwanted offers before accepting the EULAs.

Reader:
http://www.adobe.com/products/acrobat/readstep2.html
QuickTime:
http://www.apple.com/quicktime/download/

Since you are using the COX popup blocker -- may want to disable the one included with IE itself to prevent conflicts.
Tools> popup blocker> turn off popup blocker.

Click start> run> type combofix /u then hit enter.
This will delete combofix along with its files/folders it created and resets your system restore.

Delete "clean.bat" I had you create earlier.

Once done above -- you can re-install Spybot & activate TeaTimer if desired.
You will have to OK a bunch of stuff just like when you first installed it.

Since the HJT log is clean, here is some great information to help you stay clean and safe online:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://www.bleepingcomputer.com/forums/topict2520.html

If you want to help speed up your system Miekiemoes has some great information here:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Take care & surf safe!

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users