Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please.. Combofix On Malware Attack


  • This topic is locked This topic is locked
13 replies to this topic

#1 The Lynx

The Lynx

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 05 March 2008 - 01:45 PM

Hi, my system was hit with this 80avp08.com bug that keeps duplicating itself. I cant hide or unhide files, and my C:\Windows Folder looks completely different. After several attempts with antivirus software, finally used Combofix. this is the log from the scan . Help

ComboFix 08-03-01.3 - USER 2008-03-05 18:00:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.563 [GMT 1:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\80avp08.com
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
E:\80avp08.com
E:\autorun.inf
F:\80avp08.com
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 14:46 . 2008-03-05 17:25 <DIR> d-------- C:\Documents and Settings\USER\Application Data\AVG7
2008-03-05 14:46 . 2008-03-05 14:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 14:45 . 2008-03-05 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 14:45 . 2008-03-05 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-01 21:54 . 2008-03-01 21:54 <DIR> d-------- C:\Program Files\Abexo
2008-02-29 11:40 . 2008-02-29 11:40 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Nokia Multimedia Player
2008-02-29 11:20 . 2008-02-29 11:24 <DIR> d--hs---- C:\Documents and Settings\USER\Phone Browser
2008-02-25 23:05 . 2008-02-25 23:05 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:05 . 2008-02-25 23:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-25 23:05 . 2007-03-14 02:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 21:34 . 2008-02-25 21:34 17,408 --a------ C:\WINDOWS\system32\rpcnetp.dll
2008-02-25 21:33 . 2008-03-05 17:23 17,408 --a------ C:\WINDOWS\system32\rpcnetp.exe
2008-02-25 15:40 . 2008-02-26 01:25 <DIR> d-------- C:\Documents and Settings\USER\Application Data\BitTorrent
2008-02-24 13:30 . 2008-02-24 13:30 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2008-02-24 12:42 . 2008-02-24 12:42 0 --a------ C:\WINDOWS\WB.ini
2008-02-24 12:14 . 2008-02-24 12:14 <DIR> d-------- C:\Program Files\Stardock
2008-02-24 12:14 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-02-24 11:40 . 2008-02-24 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-21 17:52 . 2008-02-25 10:51 <DIR> d-------- C:\Program Files\DAP
2008-02-21 17:52 . 2008-03-05 17:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 17:52 . 2008-02-21 17:52 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-02-21 17:52 . 2008-02-21 17:52 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-21 17:52 . 2008-02-21 17:52 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-02-20 16:28 . 2008-02-20 16:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-02-20 14:45 . 2008-02-20 14:45 <DIR> d-------- C:\Documents and Settings\USER\Application Data\ArcSoft
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\temp\ext45874
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\temp
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-19 18:55 . 2008-02-29 12:12 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Nokia
2008-02-19 18:55 . 2008-02-29 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Nokia
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\DIFX
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-02-19 18:54 . 2008-02-29 11:29 <DIR> d-------- C:\Documents and Settings\USER\Application Data\PC Suite
2008-02-19 18:54 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-02-19 18:54 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-19 18:54 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-02-19 18:54 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-02-19 18:54 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-02-19 18:54 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-02-19 18:53 . 2008-02-19 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-02-19 18:45 . 2008-02-19 18:45 <DIR> d-------- C:\Program Files\Opera
2008-02-19 18:35 . 2008-02-19 18:35 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-19 18:32 . 2008-02-19 18:32 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-19 18:32 . 2008-02-29 11:26 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-19 18:28 . 2008-02-19 18:28 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-19 18:02 . 2008-02-21 17:55 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-19 17:51 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-02-19 17:51 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-19 17:51 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-19 17:51 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-19 17:51 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-19 17:44 . 2008-02-19 17:44 <DIR> d--hs---- C:\Documents and Settings\USER\UserData
2008-02-17 12:43 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-02-17 12:41 . 2008-02-17 12:43 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-02-17 12:41 . 2008-02-17 12:41 <DIR> d-------- C:\Program Files\ArcSoft
2008-02-17 12:41 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-17 12:41 . 2005-06-21 10:29 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-17 12:41 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-17 12:33 . 2008-02-17 12:33 <DIR> d-------- C:\Documents and Settings\USER\Application Data\AdobeUM
2008-02-17 12:30 . 2008-02-17 12:39 304,160 --a------ C:\StiImg.dat
2008-02-17 12:28 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-02-17 12:28 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\ipsink.ax
2008-02-17 12:28 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2008-02-17 12:28 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-02-17 12:28 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-02-17 12:28 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-02-17 12:28 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-02-17 12:28 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\WINDOWS\PixArt
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\Program Files\PC Camera
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2008-02-17 12:24 . 2008-02-17 12:24 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-17 12:15 . 2008-02-17 12:15 <DIR> d-------- C:\Documents and Settings\USER\Bluetooth Software
2008-02-17 12:10 . 2008-02-17 12:10 <DIR> d-------- C:\Program Files\D-Link
2008-02-15 17:52 . 2008-02-15 17:52 <DIR> d-------- C:\Documents and Settings\USER\Application Data\CyberLink
2008-02-15 17:50 . 2008-03-02 15:15 116 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 16:23 47,104 ----a-w C:\WINDOWS\system32\rpcnet.dll
2008-02-25 15:50 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2008-02-24 10:38 --------- d-----w C:\Program Files\Symantec
2008-02-24 10:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-17 11:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 05:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 05:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 05:17 118784]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 05:34 544768 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 13:42 1349120]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 04:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2008-02-21 17:52 3057152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-05 14:45 411648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 14:45 145920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-24 12:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-11-20 08:14]
S0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys []
S3 PAC207;D-Link DSB-C120 PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 14:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 16:26:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 18:01:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\System32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-03-05 18:02:15
ComboFix-quarantined-files.txt 2008-03-05 17:02:13
.
2008-02-25 14:11:18 --- E O F ---

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 24 March 2008 - 02:02 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

#3 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 28 March 2008 - 01:57 PM

Hi there,

thanks for taking the time to FINALLY check out my post. I tried resolving the problem with a new antivirus for my system, used AVG Free, and it isolated the 80avp08.com thing. I dont have the hidden files problem anymore, but my windows folder in the C: drive is still not in the normal view. I cant see the files there until i search, and also the blue backgrounds that tells you the files are currently hidden aren't like that anymore, its just a clear background now with the same msg though.

Pls i'd appreciate if you could advise me on getting the system back to normal.

Peace!! :thumbsup:

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 29 March 2008 - 02:47 PM

I am not 100% sure what you mean when you say it is not normal. Please provide more information or a screenshot of what you are seeing.

#5 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 31 March 2008 - 01:38 PM

hi,

i'm attaching the screen shots, mine is pic1 Attached File  Picture1.png   71.21KB   15 downloads, and what i consider as 'normal' like you said you didnt undastand is like the screen in pic1a Attached File  Picture1a.png   351.03KB   19 downloads.

Also the abnormal view of my C:\Windows folder is screen shot pic3 Attached File  Picture3.png   78.65KB   17 downloads, and i thought it should show all the folders and files in that root.
Thanks.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 31 March 2008 - 02:05 PM

Hmm.. if when viewing the windows folder you right click on the empty portion and select Arrange Icons by and then Name. Does it look better? Now I assume, you want to make it so it shows the warning that you are about to view system files?

#7 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 April 2008 - 10:11 AM

Hi there,

Well yeah i do want it to show the warning with the normal blue background, or is it still normal the way it looks?? I also want to ask, which of the security software (anti-virus/anti-spyware) programs from all out there do you recommend?

This is my latest ComboFix log; Thanks alot man!

ComboFix 08-03-30.3 - USER 2008-03-31 22:54:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT 1:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\autorun.inf
.
---- Previous Run -------
.
C:\80avp08.com
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
E:\80avp08.com
E:\autorun.inf
F:\80avp08.com
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-28 08:35 . 2008-03-28 08:35 <DIR> d-------- C:\Program Files\MSECache
2008-03-05 22:06 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 21:24 . 2008-03-31 22:36 <DIR> d-------- C:\Documents and Settings\USER\Application Data\AVG7
2008-03-05 21:24 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 21:24 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 21:15 . 2008-03-27 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-01 21:54 . 2008-03-01 21:54 <DIR> d-------- C:\Program Files\Abexo
2008-02-29 11:40 . 2008-03-22 22:30 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Nokia Multimedia Player
2008-02-29 11:20 . 2008-03-23 01:32 <DIR> d--hs---- C:\Documents and Settings\USER\Phone Browser
2008-02-25 23:05 . 2008-02-25 23:05 <DIR> d-------- C:\Program Files\Java
2008-02-25 23:05 . 2008-02-25 23:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-25 23:05 . 2007-03-14 02:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-25 21:34 . 2008-02-25 21:34 17,408 --a------ C:\WINDOWS\system32\rpcnetp.dll
2008-02-25 21:33 . 2008-03-31 22:21 17,408 --a------ C:\WINDOWS\system32\rpcnetp.exe
2008-02-24 13:30 . 2008-02-24 13:30 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2008-02-24 12:42 . 2008-02-24 12:42 0 --a------ C:\WINDOWS\WB.ini
2008-02-24 12:14 . 2008-02-24 12:14 <DIR> d-------- C:\Program Files\Stardock
2008-02-24 12:14 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-02-21 17:52 . 2008-02-25 10:51 <DIR> d-------- C:\Program Files\DAP
2008-02-21 17:52 . 2008-03-23 11:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 17:52 . 2008-02-21 17:52 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-02-21 17:52 . 2008-02-21 17:52 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-21 17:52 . 2008-02-21 17:52 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-02-20 16:28 . 2008-02-20 16:28 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2008-02-20 14:45 . 2008-03-06 22:09 <DIR> d-------- C:\Documents and Settings\USER\Application Data\ArcSoft
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\temp\ext45874
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\temp
2008-02-19 19:33 . 2008-02-19 19:33 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-19 18:55 . 2008-02-29 12:12 <DIR> d-------- C:\Documents and Settings\USER\Application Data\Nokia
2008-02-19 18:55 . 2008-02-29 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Nokia
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\DIFX
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-19 18:54 . 2008-02-19 18:54 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-02-19 18:54 . 2008-03-23 01:14 <DIR> d-------- C:\Documents and Settings\USER\Application Data\PC Suite
2008-02-19 18:54 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-02-19 18:54 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-19 18:54 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-02-19 18:54 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-02-19 18:54 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-02-19 18:54 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-02-19 18:53 . 2008-02-19 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-02-19 18:45 . 2008-02-19 18:45 <DIR> d-------- C:\Program Files\Opera
2008-02-19 18:35 . 2008-02-19 18:35 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-19 18:32 . 2008-02-19 18:32 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-19 18:32 . 2008-03-23 01:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-19 18:28 . 2008-03-07 22:27 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-19 18:02 . 2008-02-21 17:55 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-19 17:51 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-02-19 17:51 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-19 17:51 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-19 17:51 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-19 17:51 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-19 17:44 . 2008-02-19 17:44 <DIR> d--hs---- C:\Documents and Settings\USER\UserData
2008-02-17 12:43 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-02-17 12:41 . 2008-02-17 12:43 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-02-17 12:41 . 2008-02-17 12:41 <DIR> d-------- C:\Program Files\ArcSoft
2008-02-17 12:41 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-17 12:41 . 2005-06-21 10:29 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2008-02-17 12:41 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-17 12:33 . 2008-02-17 12:33 <DIR> d-------- C:\Documents and Settings\USER\Application Data\AdobeUM
2008-02-17 12:30 . 2008-02-17 12:39 304,160 --a------ C:\StiImg.dat
2008-02-17 12:28 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-02-17 12:28 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\ipsink.ax
2008-02-17 12:28 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2008-02-17 12:28 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-02-17 12:28 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-02-17 12:28 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-02-17 12:28 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-02-17 12:28 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\WINDOWS\PixArt
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\Program Files\PC Camera
2008-02-17 12:25 . 2008-02-17 12:25 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2008-02-17 12:24 . 2008-02-17 12:24 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-17 12:15 . 2008-02-17 12:15 <DIR> d-------- C:\Documents and Settings\USER\Bluetooth Software
2008-02-17 12:10 . 2008-02-17 12:10 <DIR> d-------- C:\Program Files\D-Link
2008-02-15 17:52 . 2008-02-15 17:52 <DIR> d-------- C:\Documents and Settings\USER\Application Data\CyberLink
2008-02-15 17:50 . 2008-03-27 23:52 116 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 10:38 --------- d-----w C:\Program Files\Symantec
2008-02-24 10:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-17 11:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 05:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 05:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 05:17 118784]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 05:34 544768 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 13:42 1349120]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 04:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-05 21:24 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 21:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-24 12:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-11-20 08:14]
S0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys []
S3 PAC207;D-Link DSB-C120 PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 14:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b6a9d7-f42d-11dc-b11e-0019d283caf2}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 21:24:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 22:56:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
-> C:\Program Files\ArcSoft\WebCam Companion\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-03-31 22:57:05
ComboFix-quarantined-files.txt 2008-03-31 21:57:03
Pre-Run: 49,173,893,120 bytes free
Post-Run: 49,167,515,648 bytes free
.
2008-02-25 14:11:18 --- E O F ---

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 01 April 2008 - 10:32 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
C:\temp\

Suspect::[3]
C:\WINDOWS\system32\rpcnetp.dll
C:\WINDOWS\system32\rpcnetp.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77b6a9d7-f42d-11dc-b11e-0019d283caf2}]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 07 April 2008 - 12:16 PM

Hey there,

Sorry havent heard from this end in awhile, got sick and had to go off-net. Anyway now back nd kickin'.
This is the log you requested for, thanks:

ComboFix 08-04-01.2 - USER 2008-04-03 1:16:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT 1:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\
C:\temp\\ext45874\install.exe
C:\temp\\ext45874\install.res.1033.dll
.
---- Previous Run -------
.
C:\80avp08.com
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
E:\80avp08.com
E:\autorun.inf
F:\80avp08.com
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 01:05 . 2008-04-02 01:06 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-04-01 03:31 . 2008-04-01 03:31 <DIR> d-------- C:\Program Files\MSECache
2008-03-05 22:06 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-05 21:24 . 2008-04-02 22:27 <DIR> d-------- C:\Documents and Settings\USER\Application Data\AVG7
2008-03-05 21:24 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 21:24 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 21:15 . 2008-04-01 03:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 21:01 47,104 ----a-w C:\WINDOWS\system32\rpcnet.dll
2008-04-02 21:01 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
2008-04-01 03:58 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2008-04-01 02:31 --------- d-----w C:\Program Files\Windows Defender
2008-04-01 02:31 --------- d-----w C:\Documents and Settings\USER\Application Data\ArcSoft
2008-03-23 10:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 00:14 --------- d-----w C:\Documents and Settings\USER\Application Data\PC Suite
2008-03-22 21:30 --------- d-----w C:\Documents and Settings\USER\Application Data\Nokia Multimedia Player
2008-03-01 20:54 --------- d-----w C:\Program Files\Abexo
2008-02-29 11:12 --------- d-----w C:\Documents and Settings\USER\Application Data\Nokia
2008-02-29 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-25 22:05 --------- d-----w C:\Program Files\Java
2008-02-25 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-02-25 15:50 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2008-02-25 09:51 --------- d-----w C:\Program Files\DAP
2008-02-24 12:30 --------- d-----w C:\Documents and Settings\Guest\Application Data\CyberLink
2008-02-24 11:14 --------- d-----w C:\Program Files\Stardock
2008-02-24 10:38 --------- d-----w C:\Program Files\Symantec
2008-02-24 10:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-21 16:52 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-02-20 15:28 --------- d-----w C:\Documents and Settings\Guest\Application Data\PC Suite
2008-02-19 18:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-19 17:54 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-19 17:54 --------- d-----w C:\Program Files\Nokia
2008-02-19 17:54 --------- d-----w C:\Program Files\DIFX
2008-02-19 17:54 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-19 17:54 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-19 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-19 17:45 --------- d-----w C:\Program Files\Opera
2008-02-19 17:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-17 11:43 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-02-17 11:41 --------- d-----w C:\Program Files\ArcSoft
2008-02-17 11:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 11:39 304,160 ----a-w C:\StiImg.dat
2008-02-17 11:33 --------- d-----w C:\Documents and Settings\USER\Application Data\AdobeUM
2008-02-17 11:25 --------- d-----w C:\Program Files\PC Camera
2008-02-17 11:25 --------- d-----w C:\Program Files\Common Files\PCCamera
2008-02-17 11:10 --------- d-----w C:\Program Files\D-Link
2008-02-15 16:52 --------- d-----w C:\Documents and Settings\USER\Application Data\CyberLink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 05:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 05:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 05:17 118784]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 05:34 544768 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 13:42 1349120]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 04:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-05 21:24 579072]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 21:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-24 12:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-11-20 08:14]
S0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys []
S3 PAC207;D-Link DSB-C120 PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 14:57]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 21:04:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 01:18:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-03 1:18:35
ComboFix-quarantined-files.txt 2008-04-03 00:18:32
Pre-Run: 47,674,875,904 bytes free
Post-Run: 47,663,296,512 bytes free
.
2008-02-25 14:11:18 --- E O F ---

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 07 April 2008 - 03:37 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\rpcnet.dll
C:\WINDOWS\system32\rpcnetp.exe
C:\WINDOWS\system32\rpcnetp.dll
C:\WINDOWS\system32\rpcnet.exe


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#11 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 April 2008 - 06:24 AM

Hey there!

The log you requested, thanks.



ComboFix 08-04-07.5 - USER 2008-04-09 9:30:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.521 [GMT 1:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\rpcnet.dll
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\rpcnetp.dll
C:\WINDOWS\system32\rpcnetp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rpcnet.dll
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\rpcnetp.dll
C:\WINDOWS\system32\rpcnetp.exe
.
---- Previous Run -------
.
C:\80avp08.com
C:\Autorun.inf
C:\temp\
C:\temp\\ext45874\install.exe
C:\temp\\ext45874\install.res.1033.dll
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
E:\80avp08.com
E:\autorun.inf
F:\80avp08.com
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Rpcnet
-------\Rpcnet


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-05 15:27 . 2008-04-05 15:27 <DIR> d-------- C:\Program Files\FLV Player
2008-04-02 01:05 . 2008-04-02 01:06 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-04-01 03:31 . 2008-04-01 03:31 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 07:53 --------- d-----w C:\Documents and Settings\USER\Application Data\AVG7
2008-04-07 14:57 304,160 ----a-w C:\StiImg.dat
2008-04-01 02:31 --------- d-----w C:\Program Files\Windows Defender
2008-04-01 02:31 --------- d-----w C:\Documents and Settings\USER\Application Data\ArcSoft
2008-04-01 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-23 10:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 00:14 --------- d-----w C:\Documents and Settings\USER\Application Data\PC Suite
2008-03-22 21:30 --------- d-----w C:\Documents and Settings\USER\Application Data\Nokia Multimedia Player
2008-03-05 20:24 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-05 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-01 20:54 --------- d-----w C:\Program Files\Abexo
2008-02-29 11:12 --------- d-----w C:\Documents and Settings\USER\Application Data\Nokia
2008-02-29 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-25 22:05 --------- d-----w C:\Program Files\Java
2008-02-25 22:05 --------- d-----w C:\Program Files\Common Files\Java
2008-02-25 09:51 --------- d-----w C:\Program Files\DAP
2008-02-24 12:30 --------- d-----w C:\Documents and Settings\Guest\Application Data\CyberLink
2008-02-24 11:14 --------- d-----w C:\Program Files\Stardock
2008-02-24 10:38 --------- d-----w C:\Program Files\Symantec
2008-02-24 10:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-21 16:52 50,688 ----a-w C:\WINDOWS\system32\wbhelp2.dll
2008-02-20 15:28 --------- d-----w C:\Documents and Settings\Guest\Application Data\PC Suite
2008-02-19 18:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-19 17:54 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-19 17:54 --------- d-----w C:\Program Files\Nokia
2008-02-19 17:54 --------- d-----w C:\Program Files\DIFX
2008-02-19 17:54 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-19 17:54 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-19 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-19 17:45 --------- d-----w C:\Program Files\Opera
2008-02-19 17:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-17 11:43 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-02-17 11:41 --------- d-----w C:\Program Files\ArcSoft
2008-02-17 11:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 11:33 --------- d-----w C:\Documents and Settings\USER\Application Data\AdobeUM
2008-02-17 11:25 --------- d-----w C:\Program Files\PC Camera
2008-02-17 11:25 --------- d-----w C:\Program Files\Common Files\PCCamera
2008-02-17 11:10 --------- d-----w C:\Program Files\D-Link
2008-02-15 16:52 --------- d-----w C:\Documents and Settings\USER\Application Data\CyberLink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 05:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 05:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 05:17 118784]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 05:34 544768 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 13:42 1349120]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 04:44 16262656 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-05 21:24 579072]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 21:24 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-24 12:20 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-11-20 08:14]
S0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys []
S3 PAC207;D-Link DSB-C120 PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 14:57]

*Newly Created Service* - RPCNETP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 07:55:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 09:35:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\D-Link\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\rpcnetp.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-09 9:37:24 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-04-09 08:37:21
Pre-Run: 43,982,823,424 bytes free
Post-Run: 43,919,933,440 bytes free
.
2008-02-25 14:11:18 --- E O F ---

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 11 April 2008 - 03:11 PM

Looks good...how does the computer feel to you now?

#13 The Lynx

The Lynx
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 14 April 2008 - 10:52 AM

Well seems to be working fine. But how do i remove the ComboFix and its components? Or do i stil need them on the system

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:26 PM

Posted 14 April 2008 - 12:17 PM

Let's uninstall ComboFix

Please navigate to, and delete the following:
  • Click on : Start >> Run...
  • Type: Combofix /u and hit Enter
Then,

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users