Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Virtmonde And Smitfraud-c, I Think!


  • Please log in to reply
36 replies to this topic

#1 Christina8801

Christina8801

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 28 February 2008 - 03:47 PM

I got this PC back from one of our remote-site employees and it had NO anti-virus/spyware software, no firewall, etc. on it, and it was SUPER sluggish and opened numerous popups when IE was opened. I've installed McAfee VirusScan and scanned the PC, installed Ad-Aware and Spybot and run numerous scans with each (Spybot would discover Virtumonde and Smitfraud-C, I'd click to "fix" the problems, they'd appear to be fixed, but would just reappear on the next scan). I've also run the McAfee Stinger, installed ZoneAlarm, and gotten all available Windows Updates.

Now I just need someone to review my HJT log please so I can be done with this thing!! Thanks, in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:23 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6D474D42-9A89-44C5-97D7-D90E80B22196} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {AA4FD76C-94A1-471F-9496-BC2D709F3679} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {B1F51B1D-2EF3-4405-99B7-C154AE23AE29} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: {77d6795e-0fb2-c8b8-b4d4-4a2079585c7f} - {f7c58597-02a4-4d4b-8b8c-2bf0e5976d77} - C:\WINDOWS\system32\dinvamha.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Rik\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byxwvst - byxwvst.dll (file missing)
O20 - Winlogon Notify: tuvustq - tuvustq.dll (file missing)
O20 - Winlogon Notify: viwyntds - viwyntds.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prokykojyhd.html

--
End of file - 8414 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 06 March 2008 - 12:54 AM

Hi and welcome,

sorry for delay.
If you still need help and not getting help elsewhere, please post a fresh hijackthis log here.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 06 March 2008 - 10:47 AM

Please...I DEFINITELY still need help! Here's a current HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:48 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\UltraVNC\WinVNC(2).exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6D474D42-9A89-44C5-97D7-D90E80B22196} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {AA4FD76C-94A1-471F-9496-BC2D709F3679} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {B1F51B1D-2EF3-4405-99B7-C154AE23AE29} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: {77d6795e-0fb2-c8b8-b4d4-4a2079585c7f} - {f7c58597-02a4-4d4b-8b8c-2bf0e5976d77} - C:\WINDOWS\system32\dinvamha.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Rik\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byxwvst - byxwvst.dll (file missing)
O20 - Winlogon Notify: tuvustq - tuvustq.dll (file missing)
O20 - Winlogon Notify: viwyntds - viwyntds.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0282931204613592) (0282931204613592mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\028293~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prokykojyhd.html

--
End of file - 8555 bytes

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 07 March 2008 - 03:48 AM

Hi,

1. Download this file and save it to your desktop.

**Note: It is important that it is saved directly to, and run from your desktop**

In the event you already have Combofix, please delete it as this is a new version I need you to download.

Use one of these following links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Boot the system to SAFE mode.
by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
When finished, it shall produce a log for you. Post that log in your next reply

Notes:

--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

In case you have to reboot to get internet back -- log I will need you to post is located here:

C:\Combofix.txt

Let me know how system is running.

There will likely be more work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 10 March 2008 - 11:29 AM

Okay, here's the combofix log!

ComboFix 08-03-06.4 - Christina 2008-03-10 10:58:44.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -5:00]
Running from: C:\Documents and Settings\Christina\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rik\Application Data\SMANTE~1
C:\Documents and Settings\Rik\Application Data\SMANTE~1\S?mantec\
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aogsousv.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\buaxnuhl.ini
C:\WINDOWS\system32\dinvamha.dll
C:\WINDOWS\system32\drivers\e100b3255.sys
C:\WINDOWS\system32\dvlxkrvd.ini
C:\WINDOWS\system32\fhwsmrus.ini
C:\WINDOWS\system32\geogyjno.ini
C:\WINDOWS\system32\lbkfooyv.ini
C:\WINDOWS\system32\lhunxaub.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini2
C:\WINDOWS\system32\momgewtr.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\oyjhiddu.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rcjjrmmp.ini
C:\WINDOWS\system32\saptneal.dll
C:\WINDOWS\system32\stagmfhl.ini
C:\WINDOWS\system32\surmswhf.dll
C:\WINDOWS\system32\vyoofkbl.dll
C:\WINDOWS\system32\wvmynjdf.dll
C:\WINDOWS\system32\yflqthle.dll
C:\WINDOWS\system32\yrligntb.ini
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\j?vaw.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_E100B3255
-------\e100b3255


((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-07 09:40 . 2006-06-28 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-07 09:40 . 2006-06-28 12:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-28 15:43 . 2008-02-28 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 15:15 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-28 15:15 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-28 15:14 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-28 15:14 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-28 15:14 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-28 15:14 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-28 15:14 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-28 11:49 . 2008-02-28 11:49 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-27 09:07 . 2008-02-27 09:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-27 09:07 . 2008-02-27 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 16:07 . 2008-02-26 16:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-26 16:07 . 2008-02-26 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 16:04 . 2008-02-26 16:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-26 15:21 . 2008-03-07 01:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-26 14:51 . 2008-03-10 11:10 1,951,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-26 14:51 . 2008-03-07 09:38 24,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-26 14:48 . 2008-02-26 14:48 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-26 14:45 . 2008-02-26 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-26 14:45 . 2008-02-26 14:49 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-02-26 14:44 . 2007-11-14 17:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-26 14:44 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-26 14:43 . 2008-02-26 14:45 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-26 14:43 . 2008-02-26 14:43 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-26 14:43 . 2007-11-14 17:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-26 14:43 . 2008-03-10 11:05 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-26 13:25 . 2008-03-10 11:04 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-26 13:16 . 2008-02-28 14:45 <DIR> d-------- C:\downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 16:04 --------- d-----w C:\Program Files\McAfee
2008-02-26 22:23 --------- d-----w C:\Program Files\Google
2008-02-26 17:25 --------- d-----w C:\Program Files\Dell
2008-02-06 15:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-05 14:47 90,688 ----a-w C:\WINDOWS\system32\btngilry.dll
2008-02-04 04:04 96,832 ----a-w C:\WINDOWS\system32\aouneeew.dll
2008-02-03 03:52 96,832 ----a-w C:\WINDOWS\system32\ebxrkowu.dll
2008-02-02 03:54 92,224 ----a-w C:\WINDOWS\system32\rtwegmom.dll
2008-01-31 15:54 90,688 ----a-w C:\WINDOWS\system32\dvrkxlvd.dll
2008-01-31 15:51 95,296 ----a-w C:\WINDOWS\system32\vhqcbtgl.dll
2008-01-29 23:45 --------- d-----w C:\Program Files\Dot1XCfg
2008-01-29 15:49 69,696 ----a-w C:\WINDOWS\system32\pyedtwsf.dll
2008-01-29 13:49 --------- d-----w C:\Program Files\QuickTime
2008-01-28 20:44 --------- d-----w C:\Program Files\UltraVNC
2008-01-28 20:44 --------- d-----w C:\Program Files\DellSupport
2008-01-28 18:15 --------- d-----w C:\Program Files\McAfee.com
2008-01-28 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-28 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-28 18:05 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-28 13:40 94,208 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-28 13:40 77,824 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-01-28 13:40 114,688 ----a-w C:\WINDOWS\system32\igfxpers .exe
2008-01-26 00:54 0 --sha-w C:\Documents and Settings\Rik\Application Data\00479a7ac83ff91e1a7797347a6bf9059ce7c75dca.dat
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-07-04 12:16 88 -csh--r C:\WINDOWS\system32\2262FD3C68.sys
2007-07-04 12:16 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		 1,404,928 2008-01-28 13:40:51  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			81,920 2008-01-28 13:40:59  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   249,856 2008-01-29 23:43:32  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	  .exe
----a-w		   249,856 2008-01-29 23:43:33  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	 .exe
----a-w		   249,856 2008-01-29 23:43:33  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	.exe
----a-w		   249,856 2008-01-29 23:43:34  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm   .exe
----a-w		   249,856 2008-01-29 23:43:34  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
----a-w		   249,856 2008-01-27 15:47:20  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w		   106,496 2008-01-28 13:41:18  C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
----a-w			94,208 2008-01-28 13:40:48  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w		   460,784 2008-01-28 13:41:28  C:\Program Files\DellSupport\DSAgnt .exe
----a-w			68,856 2008-01-28 13:41:26  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			32,881 2008-01-28 13:40:46  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		   152,144 2008-02-03 16:59:58  C:\Program Files\McAfee\MSK\MskAgent .exe
----a-w		   479,744 2008-01-27 22:23:50  C:\Program Files\McAfee\SpamKiller\MS18BE~1 .EXE
----a-w		   479,744 2008-01-28 13:40:55  C:\Program Files\McAfee\SpamKiller\MS18BE~2 .EXE
----a-w		   479,744 2008-01-28 17:06:27  C:\Program Files\McAfee\SpamKiller\MS18BE~3 .EXE
----a-w		   110,592 2008-01-28 17:20:12  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w		   479,744 2008-01-26 20:07:02  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w		   479,744 2008-01-26 21:59:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w		   479,744 2008-01-27 04:11:44  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w		   479,744 2008-01-27 15:45:32  C:\Program Files\McAfee\SpamKiller\MSKAGE~4 .EXE
----a-w		 1,121,792 2008-01-28 17:20:32  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		   303,104 2008-01-28 13:41:03  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w		   212,992 2008-01-28 13:42:15  C:\Program Files\McAfee.com\Agent\mcupdate  .exe
----a-w		   212,992 2008-01-29 23:53:18  C:\Program Files\McAfee.com\Agent\McUpdate .exe
----a-w		   212,992 2008-01-28 13:41:02  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w		   212,992 2008-01-27 04:12:15  C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
----a-w		   110,592 2008-01-28 13:40:55  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
----a-w			98,304 2008-01-27 04:11:47  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-29 23:55:57  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-29 23:55:57  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-01-29 23:55:58  C:\Program Files\QuickTime\qttask .exe
----a-w			26,112 2008-01-28 13:41:04  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   712,704 2008-01-28 13:36:26  C:\Program Files\UltraVNC\WinVNC .exe
----a-w			77,824 2008-01-28 13:40:45  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-28 13:40:46  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-28 13:40:45  C:\WINDOWS\system32\igfxtray .exe
----a-w		   122,940 2008-01-28 13:41:08  C:\WINDOWS\system32\DLA\DLACTRLW .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F51B1D-2EF3-4405-99B7-C154AE23AE29}]
C:\WINDOWS\system32\mllmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-26 14:48 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-26 14:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-26 14:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"Sen"="C:\DOCUME~1\Rik\APPLIC~1\SMANTE~1\userinit.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [ ]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"combofix"="C:\WINDOWS\system32\CF25628.exe" [2004-08-04 05:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-06-28 11:58:31 156784]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-26 15:21:39 125624]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 0 (0x0)
"ForceActiveDesktopOn"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Internet Explorer\prokykojyhd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvst]
byxwvst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvustq]
tuvustq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\viwyntds]
viwyntds.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc4d84bb]
C:\WINDOWS\system32\vyoofkbl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-06-28 12:14 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
C:\Program Files\MalwareAlarm\MalwareAlarm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zygqjjwb]
C:\WINDOWS\W?nSxS\j?vaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 17:30:57 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 07:00:23 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 11:11:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-03-10 11:23:32 - machine was rebooted [Rik]
ComboFix-quarantined-files.txt 2008-03-10 16:23:18
.
2008-02-29 09:01:59 --- E O F ---

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 10 March 2008 - 08:37 PM

Hi,

What version of McAfee do you have and how was it installed?
Meaning -- was it provided by your ISP or did you purchase it off the McAfee site?

I want to remove it because it seems quite messed up (no thanks to vundo) so we can get a fresh known good install right after we do next fix.

I want to have another option besides its own uninstaller in case that don't work.

And -- I take it you no longer have Norton Ghost or any other Norton products installed?

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 11 March 2008 - 09:00 AM

Hi. The McAfee was purchased and installed from their website. When I got this machine back from my employee I found that it had NO anti-virus software installed at all. So I likely installed it after the virus was already on the machine. Shall I go ahead and try to uninstall it with their uninstaller? Yes, I can do a fresh install from the employee's McAfee account, so no problems there.

No Norton products installed to my knowledge.

Thanks!!

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 11 March 2008 - 06:39 PM

Hi,

OK. sounds good.
I'll have you uninstall McAfee then run combofix again with a script I will give you then you can re-install McAfee so to have your protection back.
We'll take care of Norton leftovers in a bit.

1.) Open notepad and copy/paste the text in the code box below into it:

file::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\btngilry.dll
C:\WINDOWS\system32\aouneeew.dll
C:\WINDOWS\system32\ebxrkowu.dll
C:\WINDOWS\system32\rtwegmom.dll
C:\WINDOWS\system32\dvrkxlvd.dll
C:\WINDOWS\system32\vhqcbtgl.dll
C:\WINDOWS\system32\pyedtwsf.dll
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	  .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	 .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm   .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
folder::
C:\Program Files\Dot1XCfg
RenV::
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\Program Files\Dell\Media Experience\DMXLauncher .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\UltraVNC\WinVNC .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\DLA\DLACTRLW .EXE
registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F51B1D-2EF3-4405-99B7-C154AE23AE29}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvst]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvustq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\viwyntds]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc4d84bb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zygqjjwb]

Save this as CFScript.txt to your desktop. do not run this yet

Disconnect from internet.

Uninstall McAfee (there may be more than one McAfee item listed) and reboot when done.

While still disconnected...

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new C:\ComboFix.txt please.

Re-Install your McAfee and post a fresh hijackthis log.
Don't wait for long to get McAfee installed -- we don't want to leave you without protection.

Let me know how the system is running.

Thanks :thumbsup:

<<edited to correct script syntax>>

Edited by Blender, 12 March 2008 - 01:04 AM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 11 March 2008 - 08:51 PM

Great. I have to wait until tomorrow to do this, though, and even then I'll be doing it remotely (I'm not in the office tomorrow). Will keep you posted!

Thanks so much!!

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 12 March 2008 - 01:04 AM

Sounds good. :thumbsup:

If you copied the above CFScript already ---
Please delete it and create a new one.
I edited the above script.

If you didn't make it yet --- no worries. Carry on as instructed.

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 12 March 2008 - 01:10 AM

You may wish to wait till you can get to the computer physically ---
this tool is not meant for remote.

I cannot predict how this will work doing it remotely.
Reason being is Combofix does disable the internet on the machine during fix so you will not see what is happening..
If it gives errors -- you won't see it and cannot react to them.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 13 March 2008 - 12:02 PM

Don't worry, I'm not doing any of this remotely! That's why I couldn't do anything more until today.

Okay, here's the new combofix log, then the new HJT log follows that. Oh, and by the way, when re-installing McAfee, it made me remove ZoneAlarm first (wouldn't continue the installation until ZoneAlarm was uninstalled), so I did uninstall it.

ComboFix 08-03-06.4 - Rik 2008-03-13 10:19:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -5:00]
Running from: C:\Documents and Settings\Rik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rik\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\WINDOWS\system32\aouneeew.dll
C:\WINDOWS\system32\btngilry.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\dvrkxlvd.dll
C:\WINDOWS\system32\ebxrkowu.dll
C:\WINDOWS\system32\pyedtwsf.dll
C:\WINDOWS\system32\rtwegmom.dll
C:\WINDOWS\system32\vhqcbtgl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Dot1XCfg
C:\Program Files\Internet Explorer\prokykojyhd.html
C:\WINDOWS\system32\aouneeew.dll
C:\WINDOWS\system32\btngilry.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\dvrkxlvd.dll
C:\WINDOWS\system32\ebxrkowu.dll
C:\WINDOWS\system32\pyedtwsf.dll
C:\WINDOWS\system32\rtwegmom.dll
C:\WINDOWS\system32\vhqcbtgl.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-07 09:40 . 2006-06-28 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-07 09:40 . 2006-06-28 12:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-28 15:43 . 2008-02-28 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 15:15 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-28 15:15 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-28 15:14 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-28 15:14 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-28 15:14 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-28 15:14 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-28 15:14 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-27 09:07 . 2008-02-27 09:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-27 09:07 . 2008-02-27 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 16:07 . 2008-02-26 16:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-26 16:07 . 2008-02-26 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 16:04 . 2008-02-26 16:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-26 15:21 . 2008-03-12 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-26 14:51 . 2008-03-13 10:23 2,170,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-26 14:51 . 2008-03-13 10:04 27,296 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-26 14:48 . 2008-02-26 14:48 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-26 14:45 . 2008-02-26 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-26 14:45 . 2008-02-26 14:49 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-02-26 14:44 . 2007-11-14 17:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-26 14:44 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-02-26 14:43 . 2008-02-26 14:45 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-26 14:43 . 2008-02-26 14:43 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-26 14:43 . 2007-11-14 17:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-02-26 14:43 . 2008-03-13 10:05 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-02-26 13:25 . 2008-03-13 10:18 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-26 13:16 . 2008-02-28 14:45 <DIR> d-------- C:\downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 15:19 --------- d-----w C:\Program Files\UltraVNC
2008-03-13 15:19 --------- d-----w C:\Program Files\QuickTime
2008-03-13 15:19 --------- d-----w C:\Program Files\DellSupport
2008-03-13 15:05 --------- d-----w C:\Program Files\McAfee
2008-03-13 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-26 22:23 --------- d-----w C:\Program Files\Google
2008-02-26 17:25 --------- d-----w C:\Program Files\Dell
2008-01-28 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-28 13:40 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-28 13:40 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-28 13:40 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-26 00:54 0 --sha-w C:\Documents and Settings\Rik\Application Data\00479a7ac83ff91e1a7797347a6bf9059ce7c75dca.dat
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-07-04 12:16 88 -csh--r C:\WINDOWS\system32\2262FD3C68.sys
2007-07-04 12:16 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		   479,744 2008-01-27 22:23:50  C:\Program Files\McAfee\SpamKiller\MS18BE~1 .EXE
----a-w		   479,744 2008-01-28 13:40:55  C:\Program Files\McAfee\SpamKiller\MS18BE~2 .EXE
----a-w		   479,744 2008-01-28 17:06:27  C:\Program Files\McAfee\SpamKiller\MS18BE~3 .EXE
----a-w		   110,592 2008-01-28 17:20:12  C:\Program Files\McAfee\SpamKiller\MskAgent .exe
----a-w		   479,744 2008-01-26 20:07:02  C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
----a-w		   479,744 2008-01-26 21:59:52  C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
----a-w		   479,744 2008-01-27 04:11:44  C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
----a-w		   479,744 2008-01-27 15:45:32  C:\Program Files\McAfee\SpamKiller\MSKAGE~4 .EXE
----a-w		 1,121,792 2008-01-28 17:20:32  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w			98,304 2008-01-27 04:11:47  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-29 23:55:57  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-29 23:55:57  C:\Program Files\QuickTime\qttask  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-26 14:48 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-26 14:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-26 14:48 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-28 08:41 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-28 08:41 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2008-01-28 08:36 712704]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-06-28 11:58:31 156784]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-26 15:21:39 125624]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2008-01-28 08:41 106496 C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2008-01-28 08:40 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-06-28 12:14 169472 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2008-01-28 08:40 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2008-01-28 08:40 110592 C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-29 18:55 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-28 08:41 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2008-01-28 08:40 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-28 08:40 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-28 08:41 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 10:23:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 10:24:22
ComboFix-quarantined-files.txt 2008-03-13 15:24:17
ComboFix2.txt 2008-03-10 16:23:34
.
2008-03-13 08:02:54 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05, on 2008-03-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0294841205426740) (0294841205426740mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Rik\LOCALS~1\Temp\029484~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 6426 bytes

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 14 March 2008 - 06:09 AM

Sweet!

Looking good.

Regarding McAfee asking to have Zone Alarm uninstalled ...
Yes it would have. You cannot run 2 firewalls or antivirus programs without serious conflicts.
Since McAfee has its own firewall -- no need for Zone Alarm.

One more short round to clean up the funky leftovers Vundo created, couple Norton leftovers, and I think we are near done.

The following script is for this machine only! Please do not use this on other machines or it may cause problems!

Open notepad and copy/paste the text in the code box below into it:

file::
C:\Program Files\McAfee\SpamKiller\MS18BE~1 .EXE
C:\Program Files\McAfee\SpamKiller\MS18BE~2 .EXE
C:\Program Files\McAfee\SpamKiller\MS18BE~3 .EXE
C:\Program Files\McAfee\SpamKiller\MskAgent .exe
C:\Program Files\McAfee\SpamKiller\MSKAGE~1 .EXE
C:\Program Files\McAfee\SpamKiller\MSKAGE~2 .EXE
C:\Program Files\McAfee\SpamKiller\MSKAGE~3 .EXE
C:\Program Files\McAfee\SpamKiller\MSKAGE~4 .EXE
C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
Folder::
C:\Documents and Settings\Administrator\Application Data\Symantec
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]

Save this as CFScript.txt to your desktop.

Disconnect from internet and disable McAfee so he don't interfere.
Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.

Good idea to run a full system scan with McAfee as well and let him clean up anything it finds.
Don't be too concerned over stuff found in c:\qoobox\quarentine --- these are ComboFix backups.

Let me know how the system is running please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 14 March 2008 - 02:06 PM

Well I can already tell you it's running better...no more of those dang popups! =)

Okay, well I'm working remotely again today so I won't get to do this next step until Monday. Don't forget about me though! I'll do it first thing Monday and post right away.

Thanks so much for all your help!!

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:00 AM

Posted 14 March 2008 - 09:59 PM

Hey :blink:

Nope. I don't intend on forgetting about ya.
I *should* get email noti when you reply.
If I don't reply say within 24 hours --- shoot me a PM. (I get popup here on PM)
See ya Monday! :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users