Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Win32.agent.qt


  • Please log in to reply
9 replies to this topic

#1 mthigpen_02

mthigpen_02

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 27 March 2008 - 02:52 PM

I have run AVG 7.5, Spy Bot Search & Destroy, Ad-Aware 2007 in normal and safe mode many times. I tried Housecall Anti Virus, Panda Anti Virus and Bit Defender like your how to said. This is a family members computer and when I first started to fix it there were almost 1,000 viruses, trojans or worms on the computer. I have it down to a couple left but I can't seem to get rid of them. The last time I ran Spybot it found Fraud Protection Bar, IS Search Tech.Side Find, Nous Tech.Ultimate Fake Security Center, Virtumonde, Virtumonde.generic, and Win32.Agent.qt. These are the ones that come up everytime now when I run Spybot. It deletes them but they come right back as soon as you exit Spybot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:15 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E60F75D-D0B3-4BB4-B2B6-EDABCC134693} - (no file)
O2 - BHO: (no name) - {4F749A49-7C0F-453F-85F2-7D46D4B0ACBB} - \
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C80ED8-3BB4-408C-A528-EC6861AD2036} - (no file)
O2 - BHO: (no name) - {EAAD6846-57A6-42E1-A248-CC9B48A0CBAD} - (no file)
O2 - BHO: (no name) - {FA958288-9D77-46A4-BA6C-BBEDC9F3A427} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [KB926239] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137947557371
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 6571 bytes

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:22 AM

Posted 27 March 2008 - 09:25 PM

Please disable the Spybot Search and Destroy TeaTimer, as it may interfere with the removal of malware.
  • Open Spybot Search & Destroy
  • In the Mode menu click Advanced Mode, if not already selected.
  • Select: Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click: Resident
  • Uncheck the Resident TeaTimer (Protection of overall system settings) active.
  • In the File menu click Exit
Restart the computer!!

~~~~
Next, download ComboFix
Save to the Desktop <<< Important!!

Information on the program A Guide on using ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
It includes the opportunity to install the Windows Recovery Console.

Before running ComboFix, close or disable AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix. In your case this includes:
Grisoft\AVG7
AdAware


Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

Old duck...


#3 mthigpen_02

mthigpen_02
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 28 March 2008 - 11:18 AM

ComboFix 08-03-26.3 - Robert Thigpen 2008-03-28 9:58:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -5:00]
Running from: C:\Documents and Settings\Robert Thigpen\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\F1
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\F4
C:\WINDOWS\system32\F5
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\win

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_NET_AGENT
-------\Service_Net Agent


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 15:18 . 2008-03-27 15:18 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-03-27 15:08 . 2008-03-27 15:08 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-03-26 16:02 . 2008-03-26 16:02 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-26 15:58 . 2008-03-26 15:58 <DIR> d-------- C:\Program Files\MSBuild
2008-03-26 15:52 . 2008-03-26 15:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-26 15:49 . 2008-03-26 15:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-26 15:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-26 15:46 . 2008-03-26 15:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-26 15:46 . 2008-03-26 15:46 <DIR> d-------- C:\c2393731a94e762a1bdf3e
2008-03-26 15:43 . 2008-03-26 15:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-26 15:43 . 2008-03-26 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 15:38 . 2008-03-26 15:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-03-26 15:38 . 2008-03-26 15:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-03-26 15:31 . 2008-03-26 20:08 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-26 15:21 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-03-26 15:21 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-03-26 15:21 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-03-26 14:34 . 2008-03-26 18:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-26 14:34 . 2008-03-26 16:28 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-26 14:34 . 2008-03-26 16:28 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-26 14:34 . 2008-03-26 16:28 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-26 13:25 . 2008-03-27 11:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-26 12:37 . 2008-03-26 12:44 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-26 12:37 . 2008-03-26 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-26 12:19 . 2008-03-26 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-26 12:17 . 2008-03-26 12:17 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-26 12:17 . 2008-03-26 12:18 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 14:33 --------- d-----w C:\Documents and Settings\Robert Thigpen\Application Data\AVG7
2008-03-26 23:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-26 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 17:20 --------- d-----w C:\Program Files\RogueRemover FREE
2008-02-22 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-22 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 16:25 --------- d-----w C:\Program Files\Lavasoft
2008-02-22 16:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 16:04 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\AVG7
2008-02-22 16:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-21 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 17:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-21 17:19 --------- d-----w C:\Documents and Settings\Robert Thigpen\Application Data\SUPERAntiSpyware.com
2008-02-21 17:15 --------- d-----w C:\Program Files\Friendly Software
2008-02-20 16:39 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\U3
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-19 19:35 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2008-02-18 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 18:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-02-13 19:54 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-13 19:46 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-13 19:37 --------- d-----w C:\Program Files\Common Files\aol
2008-02-13 19:34 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\Lavasoft
2008-02-13 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2006-08-20 15:19 50,784 -c--a-w C:\Documents and Settings\Sherri Thigpen\Application Data\GDIPFONTCACHEV1.DAT
2003-04-29 06:32 207,758 -c--a-w C:\Program Files\INSTALL.LOG
2007-09-30 12:15 2,112,789 --sh--w C:\WINDOWS\SYSTEM32\ehhkj.bak2
2007-10-05 17:00 2,106,102 --sh--w C:\WINDOWS\SYSTEM32\ehhkj.ini2
2007-08-18 13:08 1,601,840 --sha-w C:\WINDOWS\SYSTEM32\jjkmp.bak2
2007-08-18 17:03 1,592,878 --sha-w C:\WINDOWS\SYSTEM32\jjkmp.ini2
2007-09-20 13:22 1,979,329 --sha-w C:\WINDOWS\SYSTEM32\qstwa.bak1
2007-10-05 18:03 1,487,058 --sh--w C:\WINDOWS\SYSTEM32\qstwa.bak2
2007-10-06 12:23 1,487,677 --sh--w C:\WINDOWS\SYSTEM32\qstwa.ini2
2007-09-15 14:11 2,006,030 --sha-w C:\WINDOWS\SYSTEM32\vybeg.bak2
2007-09-15 14:36 2,006,692 --sha-w C:\WINDOWS\SYSTEM32\vybeg.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E60F75D-D0B3-4BB4-B2B6-EDABCC134693}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F749A49-7C0F-453F-85F2-7D46D4B0ACBB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C80ED8-3BB4-408C-A528-EC6861AD2036}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAAD6846-57A6-42E1-A248-CC9B48A0CBAD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA958288-9D77-46A4-BA6C-BBEDC9F3A427}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 16:05 579072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 16:05 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjj]
C:\WINDOWS\system32\pmkjj.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 04:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 04:18]

.
Contents of the 'Scheduled Tasks' folder
"2003-11-27 01:14:10 C:\WINDOWS\Tasks\WebReg 20031126191410.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe'/TaskName 20031126191410 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 10:04:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-28 10:08:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 15:07:59
Pre-Run: 50,841,014,272 bytes free
Post-Run: 50,733,039,616 bytes free
.
2008-03-28 01:02:37 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:28 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E60F75D-D0B3-4BB4-B2B6-EDABCC134693} - (no file)
O2 - BHO: (no name) - {4F749A49-7C0F-453F-85F2-7D46D4B0ACBB} - \
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C80ED8-3BB4-408C-A528-EC6861AD2036} - (no file)
O2 - BHO: (no name) - {EAAD6846-57A6-42E1-A248-CC9B48A0CBAD} - (no file)
O2 - BHO: (no name) - {FA958288-9D77-46A4-BA6C-BBEDC9F3A427} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137947557371
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: pmkjj - C:\WINDOWS\system32\pmkjj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 6459 bytes

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:22 AM

Posted 28 March 2008 - 09:23 PM

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste the text inside the code box below to Notepad:

File:: 
C:\WINDOWS\imsins.BAK
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.ini2
C:\WINDOWS\SYSTEM32\jjkmp.bak2
C:\WINDOWS\SYSTEM32\jjkmp.ini2
C:\WINDOWS\SYSTEM32\qstwa.bak1
C:\WINDOWS\SYSTEM32\qstwa.bak2
C:\WINDOWS\SYSTEM32\qstwa.ini2
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\vybeg.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E60F75D-D0B3-4BB4-B2B6-EDABCC134693}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F749A49-7C0F-453F-85F2-7D46D4B0ACBB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C80ED8-3BB4-408C-A528-EC6861AD2036}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAAD6846-57A6-42E1-A248-CC9B48A0CBAD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA958288-9D77-46A4-BA6C-BBEDC9F3A427}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjj]


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply

Old duck...


#5 mthigpen_02

mthigpen_02
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 29 March 2008 - 08:59 AM

ComboFix 08-03-26.3 - Robert Thigpen 2008-03-29 7:29:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.92 [GMT -5:00]
Running from: C:\Documents and Settings\Robert Thigpen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Thigpen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.ini2
C:\WINDOWS\SYSTEM32\jjkmp.bak2
C:\WINDOWS\SYSTEM32\jjkmp.ini2
C:\WINDOWS\SYSTEM32\qstwa.bak1
C:\WINDOWS\SYSTEM32\qstwa.bak2
C:\WINDOWS\SYSTEM32\qstwa.ini2
C:\WINDOWS\SYSTEM32\vybeg.bak2
C:\WINDOWS\SYSTEM32\vybeg.ini2
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-29 07:08 . 2008-03-29 07:08 <DIR> d-------- C:\Documents and Settings\Robert Thigpen\Application Data\Yahoo!
2008-03-29 07:08 . 2008-03-29 07:08 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-27 15:18 . 2008-03-27 15:18 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-03-27 15:08 . 2008-03-27 15:08 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2008-03-26 16:02 . 2008-03-26 16:02 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-26 15:58 . 2008-03-26 15:58 <DIR> d-------- C:\Program Files\MSBuild
2008-03-26 15:52 . 2008-03-26 15:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-26 15:49 . 2008-03-26 15:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-26 15:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-26 15:46 . 2008-03-26 15:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-26 15:46 . 2008-03-26 15:46 <DIR> d-------- C:\c2393731a94e762a1bdf3e
2008-03-26 15:43 . 2008-03-26 15:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-26 15:43 . 2008-03-26 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 15:38 . 2008-03-26 15:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-03-26 15:38 . 2008-03-26 15:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-03-26 15:21 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-03-26 15:21 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2008-03-26 15:21 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-03-26 14:34 . 2008-03-26 18:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-26 14:34 . 2008-03-26 16:28 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-26 14:34 . 2008-03-26 16:28 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-26 14:34 . 2008-03-26 16:28 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-26 13:25 . 2008-03-27 11:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-26 12:37 . 2008-03-26 12:44 <DIR> d-------- C:\Program Files\Security Task Manager
2008-03-26 12:37 . 2008-03-26 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-26 12:19 . 2008-03-29 07:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-26 12:17 . 2008-03-29 07:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-26 12:17 . 2008-03-26 12:18 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:56 --------- d-----w C:\Documents and Settings\Robert Thigpen\Application Data\AVG7
2008-03-28 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 23:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-26 17:20 --------- d-----w C:\Program Files\RogueRemover FREE
2008-02-22 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-22 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 16:25 --------- d-----w C:\Program Files\Lavasoft
2008-02-22 16:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 16:04 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\AVG7
2008-02-22 16:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-21 17:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 17:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-21 17:19 --------- d-----w C:\Documents and Settings\Robert Thigpen\Application Data\SUPERAntiSpyware.com
2008-02-21 17:15 --------- d-----w C:\Program Files\Friendly Software
2008-02-20 16:39 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\U3
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-19 19:35 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2008-02-18 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 18:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-02-13 19:54 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-13 19:46 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-13 19:37 --------- d-----w C:\Program Files\Common Files\aol
2008-02-13 19:34 --------- d-----w C:\Documents and Settings\Sherri Thigpen\Application Data\Lavasoft
2008-02-13 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-11 05:53 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2006-08-20 15:19 50,784 -c--a-w C:\Documents and Settings\Sherri Thigpen\Application Data\GDIPFONTCACHEV1.DAT
2003-04-29 06:32 207,758 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 16:05 579072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 11:41 223984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 16:05 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 04:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 04:18]

.
Contents of the 'Scheduled Tasks' folder
"2003-11-27 01:14:10 C:\WINDOWS\Tasks\WebReg 20031126191410.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe'/TaskName 20031126191410 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 07:31:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-29 7:33:19
ComboFix-quarantined-files.txt 2008-03-29 12:33:04
ComboFix2.txt 2008-03-29 12:24:44
ComboFix3.txt 2008-03-28 15:08:04
Pre-Run: 51,040,395,264 bytes free
Post-Run: 51,027,058,688 bytes free
.
2008-03-28 01:02:37 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:21 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137947557371
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

--
End of file - 6389 bytes

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:22 AM

Posted 29 March 2008 - 04:55 PM

Please download Malwarebytes' Anti-Malware (MBAM)
Save the program to the Desktop
Close all Windows, including this one. (Print the instructions first)

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts
  • If an update is found, MBAM will download and install the latest.
  • Click OK
At the main program window
  • Make sure the following is checked: Perform Quick Scan
  • Click: Scan (The scan may take some time to finish, so please be patient.)
  • When the scan completes, a message box appears as shown in the image below:
    Posted Image
  • Click OK
At the main Scanner screen:
  • Click on: Show Results
  • A screen displaying the malware found shows as seen in the image below. (Results may be different.)
    Posted Image
  • Make sure everything found is checked, and click: Remove Selected
  • When the disinfection is complete, you may be prompted to Restart. Please do so.
  • When MBAM finishes removing the malware, a log opens in Notepad
  • The log is automatically saved and can be viewed by clicking the Logs tab.
~~~~
Please provide the MBAM report in your next reply.

Old duck...


#7 mthigpen_02

mthigpen_02
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 31 March 2008 - 07:59 AM

Malwarebytes' Anti-Malware 1.09
Database version: 573

Scan type: Quick Scan
Objects scanned: 30892
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\tcb.pmw (Malware.Trace) -> Quarantined and deleted successfully.

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:22 AM

Posted 31 March 2008 - 05:58 PM

:thumbsup:

Are you still having malware problems?

Old duck...


#9 mthigpen_02

mthigpen_02
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 01 April 2008 - 03:44 PM

I have run AVG, Spybot, Malwarebytes and Ad-aware scan. Nothing was found so maybe you have me all fixed. Thank you for your help it is greatly appreciated

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:22 AM

Posted 01 April 2008 - 09:10 PM

Posted Image

If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start then Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points to prevent re-infection from old Restore points.
Posted Image

And, re-enable TeaTimer and AVG AntiSpyware.


~~~~
Some of the best suggestions and programs to remain malware free are contained in Tony Kleinís article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, safe journey through the Internet!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users