Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Dropper Odiaodi


  • This topic is locked This topic is locked
2 replies to this topic

#1 daddy46

daddy46

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 February 2008 - 10:12 PM

I have a pc for the kids that they have messed up by going to some site somewhere.

I ran hijack this and combofix

Here are the logs, can you help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:54 PM, on 2/22/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31E05DD7-252A-4CB7-9BE0-317055EFA06C} - c:\windows\system32\odiaodi.dll
O2 - BHO: IE Helper - {356D724F-8731-C5C6-317D-2E6575639863} - C:\WINDOWS\system\rmzdlg32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bijdkfjy] C:\WINDOWS\System32\bak\bijdkfjy.exe
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\System32\sysvx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [bijdkfjy] C:\WINDOWS\System32\bak\bijdkfjy.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: tt - C:\WINDOWS\
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 3039 bytes


Combofix:

ComboFix 08-02-20.2 - dad 2008-02-22 21:09:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.167 [GMT -5:00]
Running from: C:\Documents and Settings\dad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\dad\Application Data\Install.dat
C:\Documents and Settings\dad\My Documents\ICROSO~1.NET
C:\Documents and Settings\mom\Application Data\install.dat
C:\WINDOWS\system32\7_exception.nls
C:\WINDOWS\system32\crunner
C:\WINDOWS\system32\crunner\cproc.exe.config
C:\WINDOWS\system32\crunner\cupdater.exe.config
C:\WINDOWS\system32\crunner\Version.txt
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\ipv6monp.dll
C:\WINDOWS\system32\ipv6monq.dll
C:\WINDOWS\system32\ipv6monr.dll
C:\WINDOWS\system32\odiaodi.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_YTVDQVQI
-------\ytvdqvqi


((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 21:19 . 2008-02-22 21:19 0 --a------ C:\WINDOWS\system32\2_exception.nls
2008-02-19 21:01 . 2008-02-19 21:01 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-17 22:05 . 2008-02-17 22:05 <DIR> d-------- C:\Documents and Settings\dad\Application Data\Leadertech
2008-02-17 18:43 . 2003-08-11 03:07 278,528 --a------ C:\WINDOWS\system32\hpdjaio
2008-02-17 18:42 . 2003-08-11 03:07 278,528 --a------ C:\WINDOWS\system32\hpdj

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 02:12 --------- d-----w C:\Program Files\Weight Commander
2008-02-20 01:07 --------- d-----w C:\Program Files\Google
2008-02-18 03:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-18 03:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-01-15 03:19 830,127 --sha-w C:\WINDOWS\system32\rtuvw.bak1
2007-01-18 01:53 832,543 --sha-w C:\WINDOWS\system32\rtuvw.bak2
2007-01-18 02:08 832,459 --sha-w C:\WINDOWS\system32\rtuvw.ini2
.

------- Sigcheck -------

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2004-08-04 07:56:57 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
----a-w 430,080 2007-05-08 22:35:56 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31E05DD7-252A-4CB7-9BE0-317055EFA06C}]
2008-02-22 21:13 83456 --a------ c:\windows\system32\odiaodi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{356D724F-8731-C5C6-317D-2E6575639863}]
C:\WINDOWS\system\rmzdlg32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bijdkfjy"="C:\WINDOWS\System32\bak\bijdkfjy.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bijdkfjy"="C:\WINDOWS\System32\bak\bijdkfjy.exe" [ ]
"sysvx.exe"="C:\WINDOWS\System32\sysvx.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2001-08-23 07:00 375808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R0 jfvfplgh;Microsoft RPC API Helper;C:\WINDOWS\System32\drivers\qryqdgbj.dat []
S2 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" []

*Newly Created Service* - RUNTIME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-19 02:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-06 16:20:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1154881039.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe6/#Hewlett-Packard#hp officejet 5500 series#1154881039
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 21:19:48
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ws2_32.dll:fork2 30720 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-22 21:22:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 02:22:19

BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:12:01 AM

Posted 09 March 2008 - 04:10 AM

Hello daddy46,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Please note: Do NOT upgrade to Windows XP SP2, just download and install SP1 for now.
Click here
Apply the update, reboot, and post a fresh Hijack This log.
Posted Image

#3 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:12:01 AM

Posted 27 March 2008 - 01:36 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users