Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Popup Proxy Emails + Rootkit Component Dread


  • Please log in to reply
69 replies to this topic

#1 winomore

winomore

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 02 April 2008 - 12:58 PM

Hi...have XP home edition running on PC.

Hi...i'm not a "tech" guy but my system (Windows Xp home edition) started running super slow the other day. First it started with loads of popups from Outerinfo (and others)...then I accidentally downloaded and installed PC Doctor until I found out it is a spyware progam...so I then went thru the removal process. Now I have windows security popups in the taskbar and when I reboot it popsup on the screen as well (plus the blue background saying I need to install spware!)...I also have (when I'm connected to the internet) a Symantec email proxy popup warnings that cover my screen...and then the system turns off and trys to reboot itself. Total mess.

To date I have run (all in safe mode) SmitfraudFix, smitRem, CCleaner, RogueRemover, AVG Anti-spyware and SUPERAntispyware. All have founds issues and then supposedly cleaned them up but everytime I reboot in "normal" mode the problems are still there. Please help with suggestions...I'm willing to try almost anything w/o having to do full new install...files upon files on this pc.

Have now run (with help from Q7) Malware and SDFix...still getting Symantec popups randomly...
The background screen is gone + the windows security popups...but the Symantec Proxy email popups occur randomly and some 100 at a time.

Thanks.


Moderator edit: Member has sent me a PM with additional details which I add immediately below:
"....wanted to know if I could either update that post or add another comment to my Hijack this log post stating that my computer seems to be doing much better UNTIL I actually open IE when I know something is going on...computer runs SUPER slow and windows take forever to open...plus hard drive/fan are spinning like crazy! Will any of this new info actually help to fix/expedite the problem? Seems like some tricky spyware behind the scenes of IE."
jgweed







Here is the Hijack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:04 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\mcntqkdn.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {643ccc96-5327-0ea3-0a1b-5c00cab58a91} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\mcntqkdn.exe DWram
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cmtfa] rundll32.exe "C:\DOCUME~1\Owner\LOCALS~1\Temp\jnjdr.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [lwxhrbvt] C:\WINDOWS\system32\erwfsvgz.exe
O4 - HKCU\..\Run: [fhovgvoz] C:\WINDOWS\system32\mlutqfgf.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [dbjrdhol] rundll32.exe "C:\WINDOWS\system32\crrid.drv" WLEntryPoint
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntqkdn.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{50390D33-E4C2-482E-9057-F0F8BDDE7119}: NameServer = 85.255.115.157,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF305E91-D85B-41BB-B97C-8E94A36A084D}: NameServer = 85.255.115.157,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{F898BEB4-7074-46A6-A110-BAED7FE61CF1}: NameServer = 85.255.115.157,85.255.112.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.14
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.14
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.14
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cnqdgfitgr - C:\WINDOWS\SYSTEM32\cnqdgfitgr.dll
O21 - SSODL: lGWNgqHsv - {54174881-FEBD-E22B-6E40-7BD273A1A712} - (no file)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8037 bytes

Edited by jgweed, 03 April 2008 - 11:04 AM.


BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 08 April 2008 - 08:39 AM

winomore

Sorry for the delay

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 08 April 2008 - 08:48 PM

Hi bamajim! Thanks so much for taking the time to help!

Following is my Combofix log...but before that...few things.

IE is still VERY VERY slow...just like before running Combofix. And I got this popup on reboot:

RUNDLL
Error loading: C:\DOCUME~1\Owner\LOCALS~1\Temp\fnoknmjeh.nls
The specified module could not be found


Here is the log:

ComboFix 08-04-08.7 - Owner 2008-04-08 16:59:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Application Data\n.ini
C:\Documents and Settings\Owner\My Documents\CURITY~1
C:\Documents and Settings\Owner\My Documents\SMANTE~1
C:\Documents and Settings\Owner\My Documents\SMANTE~1\S?mantec\
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk
C:\Program Files\Common Files\smante~1
C:\Program Files\icroso~1
C:\Program Files\sembly~1
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cnqdgfitgr.dll
C:\WINDOWS\system32\drivers\fixbcnrx.dat
C:\WINDOWS\system32\drivers\FSKP70.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FSKP70
-------\Legacy_icf
-------\Legacy_TNIDRIVER
-------\Service_FSKP70
-------\Service_Fskp70
-------\Service_gccurcne
-------\Service_TnIDriver
-------\Legacy_gccurcne
-------\gccurcne


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 17:04 . 2007-06-13 03:23 113,664 --a------ C:\WINDOWS\system32\adrsi.drv
2008-04-02 10:07 . 2008-04-02 10:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 10:05 . 2008-04-02 10:15 <DIR> d-------- C:\SDFix
2008-04-02 09:35 . 2008-04-02 09:35 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 08:10 . 2008-04-02 08:10 <DIR> d-------- C:\VundoFix Backups
2008-04-01 14:01 . 2008-04-01 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-01 13:11 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 08:22 . 2008-04-01 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 05:49 . 2008-04-01 05:49 4,286 --a------ C:\WINDOWS\system32\march_madness.ico
2008-04-01 04:21 . 2008-04-01 14:09 1,597,498 ---hs---- C:\WINDOWS\system32\vkdipmcu.ini
2008-03-31 21:11 . 2008-04-02 09:32 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-31 20:53 . 2004-08-19 18:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-31 20:53 . 2004-08-19 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-31 20:53 . 2007-08-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-31 20:53 . 2004-08-19 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-03-31 20:53 . 2008-04-02 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-31 20:53 . 2008-03-31 20:53 1,174 --a------ C:\Pass2.reg
2008-03-31 20:48 . 2008-03-31 20:49 279,969 --a------ C:\Pass2.cmd
2008-03-31 18:23 . 2008-03-31 18:23 1 --a------ C:\Documents and Settings\Owner\tmp.dat
2008-03-31 17:27 . 2008-03-31 19:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 17:13 . 2008-03-31 17:13 44 --a------ C:\p2hhr.bat
2008-03-31 17:11 . 2008-04-02 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wtgbipih
2008-03-31 17:10 . 2008-03-31 17:10 29 --a------ C:\WINDOWS\system32\qrsgapwt.tmp
2008-03-31 15:17 . 2008-04-01 15:37 5,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-31 15:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-31 15:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-31 15:11 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-31 15:11 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-31 15:11 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-31 15:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-31 15:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-31 11:52 . 2008-03-31 11:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-31 11:05 . 2008-04-01 13:52 1,264 --a------ C:\WINDOWS\wininit.ini
2008-03-31 11:00 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-31 10:55 . 2008-03-31 10:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 10:55 . 2008-03-31 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-31 08:27 . 2008-03-31 14:37 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-31 08:27 . 2008-03-31 14:37 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-31 08:27 . 2008-03-31 08:27 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-31 08:27 . 2008-04-02 10:13 <DIR> d-------- C:\Temp
2008-03-31 08:27 . 2008-03-31 08:27 196,671 --a------ C:\WINDOWS\system32\mcntqkdn.exe
2008-03-31 08:27 . 2008-03-31 08:27 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-31 08:27 . 2008-04-03 10:17 936 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-30 06:02 . 2008-03-30 06:02 190,464 --ah----- C:\WINDOWS\system32\BIT15.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 16:42 --------- d-----w C:\Program Files\Pure Networks
2008-04-02 16:35 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-07-11 14:52 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2004-12-30 03:17 452 ----a-w C:\Program Files\Shortcut to Xnews.lnk
2004-12-30 00:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2000-11-15 17:29 774 ----a-w C:\Program Files\readme.txt
2000-11-15 17:21 178,688 ----a-w C:\Program Files\hjsplit.exe
.

------- Sigcheck -------

2004-08-04 05:00 506368 7f710f77cdc92e5d455bf91a33337c6c C:\WINDOWS\system32\winlogon.exe

2007-06-13 03:23 1035776 01401699e77987b2efb211317dc37b83 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01 392832]
"lwxhrbvt"="C:\WINDOWS\system32\erwfsvgz.exe" [ ]
"fhovgvoz"="C:\WINDOWS\system32\mlutqfgf.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-14 18:59 70816]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 12:24 124096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-05 17:23 218240]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 10:46 53248]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 15:18 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 19:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 03:32 50688]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\mcntqkdn.exe" [2008-03-31 08:27 196671]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"tehdishh"="C:\DOCUME~1\Owner\LOCALS~1\Temp\kfobfgaggpl.nls WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-08-19 18:49:46 1742384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 03:43:22 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"rhlmnlge"= rundll32.exe "C:\WINDOWS\system32\oiknoikhccq.dll" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\etn70.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gat50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gjd70.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jfv27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jjj04.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jmx52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jud65.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kfn43.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nug24.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pww26.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qgo74.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sft00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ssm54.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tli10.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgj87.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7950:TCP"= 7950:TCP:@xpsp2res.dll,-22005
"56197:TCP"= 56197:TCP:@xpsp2res.dll,-22005
"57808:TCP"= 57808:TCP:@xpsp2res.dll,-22005
"53639:TCP"= 53639:TCP:@xpsp2res.dll,-22005

S1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys []
S3 etn70;etn70;C:\WINDOWS\System32\drivers\Etn70.sys []
S3 gjd70;gjd70;C:\WINDOWS\System32\drivers\Gjd70.sys []
S3 Jfv27;Jfv27;C:\WINDOWS\System32\drivers\Jfv27.sys []
S3 jmx52;jmx52;C:\WINDOWS\System32\drivers\Jmx52.sys []
S3 Jud65;Jud65;C:\WINDOWS\System32\drivers\Jud65.sys []
S3 Qgo74;Qgo74;C:\WINDOWS\System32\drivers\Qgo74.sys []
S3 Sft00;Sft00;C:\WINDOWS\System32\drivers\Sft00.sys []
S3 Ssm54;Ssm54;C:\WINDOWS\System32\drivers\Ssm54.sys []
S3 tli10;tli10;C:\WINDOWS\System32\drivers\Tli10.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 04:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-09 01:15:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-08-20 01:43:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 18:13:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\mcntqkdn.exe DWram "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-04-08 18:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 01:27:56
Pre-Run: 26,845,478,912 bytes free
Post-Run: 26,821,464,064 bytes free
.
2008-03-17 14:43:13 --- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 April 2008 - 08:31 AM

winomore

You are most welcome.

It may take a few steps before you see marked improvement

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\vkdipmcu.ini
C:\Pass2.reg
C:\Pass2.cmd
C:\Documents and Settings\Owner\tmp.dat
C:\p2hhr.bat
C:\WINDOWS\system32\qrsgapwt.tmp
C:\WINDOWS\system32\mcntqkdn.exe
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\BIT15.tmp

Folder::
C:\Documents and Settings\All Users\Application Data\wtgbipih
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\IDME

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lwxhrbvt"=-
"fhovgvoz"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"g]eeV\mWhjlnspB"=-
"tehdishh"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"rhlmnlge"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\etn70.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gat50.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gjd70.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jfv27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jjj04.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jmx52.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jud65.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kfn43.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nug24.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pww26.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qgo74.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sft00.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ssm54.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tli10.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xgj87.sys]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#5 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 April 2008 - 07:33 PM

bamajim...thanks again...really appreciate all your attention!

ran combofix again (ran much quicker this time, only about an hour)...machine did not reboot this time and IE is still super slow...couldn't even login and post from that computer...i'm on another machine.

here is the log file:

ComboFix 08-04-08.7 - Owner 2008-04-09 16:11:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.116 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner\tmp.dat
C:\p2hhr.bat
C:\Pass2.cmd
C:\Pass2.reg
C:\WINDOWS\system32\BIT15.tmp
C:\WINDOWS\system32\mcntqkdn.exe
C:\WINDOWS\system32\qrsgapwt.tmp
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\vkdipmcu.ini
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\wtgbipih
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner\tmp.dat
C:\p2hhr.bat
C:\Pass2.cmd
C:\Pass2.reg
C:\WINDOWS\system32\BIT15.tmp
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\IDME\dimnet201.exe
C:\WINDOWS\system32\IDME\TGbn1dll.exe
C:\WINDOWS\system32\mcntqkdn.exe
C:\WINDOWS\system32\qrsgapwt.tmp
C:\WINDOWS\system32\targetedbanner-uninst.exe
C:\WINDOWS\system32\vkdipmcu.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 16:18 . 2007-06-13 03:23 113,664 --a------ C:\WINDOWS\system32\raspmpkpqff.drv
2008-04-08 17:04 . 2007-06-13 03:23 113,664 --a------ C:\WINDOWS\system32\adrsi.drv
2008-04-02 10:07 . 2008-04-02 10:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 10:05 . 2008-04-02 10:15 <DIR> d-------- C:\SDFix
2008-04-02 09:35 . 2008-04-02 09:35 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 08:10 . 2008-04-02 08:10 <DIR> d-------- C:\VundoFix Backups
2008-04-01 14:01 . 2008-04-01 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-01 13:11 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 08:22 . 2008-04-01 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 05:49 . 2008-04-01 05:49 4,286 --a------ C:\WINDOWS\system32\march_madness.ico
2008-03-31 21:11 . 2008-04-02 09:32 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-31 20:53 . 2004-08-19 18:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-31 20:53 . 2004-08-19 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-31 20:53 . 2007-08-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-31 20:53 . 2004-08-19 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-03-31 20:53 . 2008-04-02 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-31 17:27 . 2008-03-31 19:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 15:17 . 2008-04-01 15:37 5,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-31 15:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-31 15:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-31 15:11 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-31 15:11 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-31 15:11 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-31 15:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-31 15:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-31 11:52 . 2008-03-31 11:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-31 11:05 . 2008-04-01 13:52 1,264 --a------ C:\WINDOWS\wininit.ini
2008-03-31 11:00 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-31 10:55 . 2008-03-31 10:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 10:55 . 2008-03-31 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-31 08:27 . 2008-04-02 10:13 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 16:42 --------- d-----w C:\Program Files\Pure Networks
2008-04-02 16:35 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-07-11 14:52 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2004-12-30 03:17 452 ----a-w C:\Program Files\Shortcut to Xnews.lnk
2004-12-30 00:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2000-11-15 17:29 774 ----a-w C:\Program Files\readme.txt
2000-11-15 17:21 178,688 ----a-w C:\Program Files\hjsplit.exe
.

------- Sigcheck -------

2004-08-04 05:00 506368 7f710f77cdc92e5d455bf91a33337c6c C:\WINDOWS\system32\winlogon.exe

2007-06-13 03:23 1035776 01401699e77987b2efb211317dc37b83 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01 392832]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-14 18:59 70816]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 12:24 124096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-05 17:23 218240]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 10:46 53248]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 15:18 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 19:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 03:32 50688]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\mcntqkdn.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-08-19 18:49:46 1742384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 03:43:22 960032]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25810:TCP"= 25810:TCP:@xpsp2res.dll,-22005
"14217:TCP"= 14217:TCP:@xpsp2res.dll,-22005
"60156:TCP"= 60156:TCP:@xpsp2res.dll,-22005
"34763:TCP"= 34763:TCP:@xpsp2res.dll,-22005

S1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys []
S3 etn70;etn70;C:\WINDOWS\System32\drivers\Etn70.sys []
S3 gjd70;gjd70;C:\WINDOWS\System32\drivers\Gjd70.sys []
S3 Jfv27;Jfv27;C:\WINDOWS\System32\drivers\Jfv27.sys []
S3 jmx52;jmx52;C:\WINDOWS\System32\drivers\Jmx52.sys []
S3 Jud65;Jud65;C:\WINDOWS\System32\drivers\Jud65.sys []
S3 Qgo74;Qgo74;C:\WINDOWS\System32\drivers\Qgo74.sys []
S3 Sft00;Sft00;C:\WINDOWS\System32\drivers\Sft00.sys []
S3 Ssm54;Ssm54;C:\WINDOWS\System32\drivers\Ssm54.sys []
S3 tli10;tli10;C:\WINDOWS\System32\drivers\Tli10.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 04:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-09 01:33:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-08-20 01:43:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 16:59:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\mcntqkdn.exe DWram "
.
Completion time: 2008-04-09 17:20:44
ComboFix-quarantined-files.txt 2008-04-10 00:19:48
ComboFix2.txt 2008-04-09 01:29:34
Pre-Run: 26,808,004,608 bytes free
Post-Run: 26,791,628,800 bytes free
.
2008-03-17 14:43:13 --- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 09:26 AM

winomore

You are most welcome. O.k We are going to come back to Combofix, but we need to change directions a little.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it.
Click Next, then Install, then make sure  "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.

(2000/XP) OnlyIn the windows control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns (that space between g and / is needed)
then hit enter, type exit hit enter
Posted Image
Microsoft MVP - Windows Security

#7 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 10:32 AM

hey bamajim!
system seems to be getting worse! :blink: I can't even hook up to the internet now on that machine as the symantec popup proxy email alerts now enter the 100's! We must be pissing them off! :thumbsup:

So I did all the last steps you said...my (TCP/IP) already had the radio button selected to obtain automatically...ran the dns flush also and it ran successfully. Here are the logs:

fixwareout:

Username "Owner" - 04/10/2008 8:07:39 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.157 85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{50390D33-E4C2-482E-9057-F0F8BDDE7119}
"nameserver"="85.255.115.157,85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BF305E91-D85B-41BB-B97C-8E94A36A084D}
"nameserver"="85.255.115.157,85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F898BEB4-7074-46A6-A110-BAED7FE61CF1}
"nameserver"="85.255.115.157,85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{50390D33-E4C2-482E-9057-F0F8BDDE7119}
"DhcpNameServer"="85.255.115.157,85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BF305E91-D85B-41BB-B97C-8E94A36A084D}
"DhcpNameServer"="85.255.115.157,85.255.112.14" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E052FB0B-636F-46C0-8A17-CE6E705A5684}
"DhcpNameServer"="85.255.115.157,85.255.112.14" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NAV CfgWiz"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"CHotkey"="zHotkey.exe"
"ShowWnd"="ShowWnd.exe"
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\mcntqkdn.exe DWram "
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"cfcjq"="rundll32.exe \"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\kleqlrdfndh.sys\" WLEntryPoint"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:06 AM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\mcntqkdn.exe DWram
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cfcjq] rundll32.exe "C:\DOCUME~1\Owner\LOCALS~1\Temp\kleqlrdfndh.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [tctngbmj] rundll32.exe "C:\WINDOWS\system32\oiknoikhccq.dll" WLEntryPoint
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.157 85.255.112.14
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: lGWNgqHsv - {54174881-FEBD-E22B-6E40-7BD273A1A712} - (no file)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7383 bytes

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 10:50 AM

winomore

We must be pissing them off!

I hope so. We just plugged the entry hole, now lets finish the clean up

We need to disable Norton Script Blocking temporarily

To disable Norton AntiVirus Script Blocking:1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.
2. Rerun Combofix and post a fresh Combofix log
Posted Image
Microsoft MVP - Windows Security

#9 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 11:24 AM

hey bamajim...i don't actually have norton antivirus installed...it came with the machine but I never installed it...just shows a popup everytime I reboot to see if I want to register. Can I still do what you're telling me to do?

thanks.

#10 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 11:32 AM

bamajim...figured it out...enable script blocking was already unchecked. I'm re-running combofix...will post once done. Thanks!

#11 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 April 2008 - 01:15 PM

bamajim aka GURU!
Done...IE still super slow but I did get to post this from my f'ed computer.

Here is the log:

ComboFix 08-04-08.7 - Owner 2008-04-10 10:00:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 08:03 . 2008-04-10 08:14 <DIR> d-------- C:\fixwareout
2008-04-09 16:18 . 2007-06-13 03:23 113,664 --a------ C:\WINDOWS\system32\raspmpkpqff.drv
2008-04-08 17:04 . 2007-06-13 03:23 113,664 --a------ C:\WINDOWS\system32\adrsi.drv
2008-04-02 10:07 . 2008-04-02 10:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 10:05 . 2008-04-02 10:15 <DIR> d-------- C:\SDFix
2008-04-02 09:35 . 2008-04-02 09:35 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-02 08:58 . 2008-04-02 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-02 08:10 . 2008-04-02 08:10 <DIR> d-------- C:\VundoFix Backups
2008-04-01 14:01 . 2008-04-01 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-01 14:00 . 2008-04-02 09:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-01 13:11 . 2008-04-02 09:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 08:22 . 2008-04-01 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 05:49 . 2008-04-01 05:49 4,286 --a------ C:\WINDOWS\system32\march_madness.ico
2008-03-31 21:11 . 2008-04-02 09:32 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-31 20:53 . 2004-08-19 18:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-31 20:53 . 2004-08-19 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-31 20:53 . 2007-08-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-31 20:53 . 2004-08-19 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-03-31 20:53 . 2008-04-02 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-31 17:27 . 2008-03-31 19:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-31 15:17 . 2008-04-01 15:37 5,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-31 15:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-31 15:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-31 15:11 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-31 15:11 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-31 15:11 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-31 15:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-31 15:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-31 11:52 . 2008-03-31 11:52 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-31 11:05 . 2008-04-01 13:52 1,264 --a------ C:\WINDOWS\wininit.ini
2008-03-31 11:00 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-31 10:55 . 2008-03-31 10:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-31 10:55 . 2008-03-31 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-31 08:27 . 2008-04-02 10:13 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 16:42 --------- d-----w C:\Program Files\Pure Networks
2008-04-02 16:35 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-02 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-07-11 14:52 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2004-12-30 03:17 452 ----a-w C:\Program Files\Shortcut to Xnews.lnk
2004-12-30 00:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2000-11-15 17:29 774 ----a-w C:\Program Files\readme.txt
2000-11-15 17:21 178,688 ----a-w C:\Program Files\hjsplit.exe
.

------- Sigcheck -------

2004-08-04 05:00 506368 7f710f77cdc92e5d455bf91a33337c6c C:\WINDOWS\system32\winlogon.exe

2007-06-13 03:23 1035776 01401699e77987b2efb211317dc37b83 C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01 392832]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-14 18:59 70816]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 12:24 124096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-05 17:23 218240]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 10:46 53248]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 09:09 36864 C:\WINDOWS\ShowWnd.exe]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 15:18 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 19:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 03:32 50688]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\mcntqkdn.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"nhfqmagm"="C:\DOCUME~1\Owner\LOCALS~1\Temp\kleqlrdfndh.sys WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-08-19 18:49:46 1742384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 03:43:22 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"tctngbmj"= rundll32.exe "C:\WINDOWS\system32\oiknoikhccq.dll" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18216:TCP"= 18216:TCP:@xpsp2res.dll,-22005
"28207:TCP"= 28207:TCP:@xpsp2res.dll,-22005
"62746:TCP"= 62746:TCP:@xpsp2res.dll,-22005
"38817:TCP"= 38817:TCP:@xpsp2res.dll,-22005

S1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys []
S3 etn70;etn70;C:\WINDOWS\System32\drivers\Etn70.sys []
S3 gjd70;gjd70;C:\WINDOWS\System32\drivers\Gjd70.sys []
S3 Jfv27;Jfv27;C:\WINDOWS\System32\drivers\Jfv27.sys []
S3 jmx52;jmx52;C:\WINDOWS\System32\drivers\Jmx52.sys []
S3 Jud65;Jud65;C:\WINDOWS\System32\drivers\Jud65.sys []
S3 Qgo74;Qgo74;C:\WINDOWS\System32\drivers\Qgo74.sys []
S3 Sft00;Sft00;C:\WINDOWS\System32\drivers\Sft00.sys []
S3 Ssm54;Ssm54;C:\WINDOWS\System32\drivers\Ssm54.sys []
S3 tli10;tli10;C:\WINDOWS\System32\drivers\Tli10.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 04:30:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 15:43:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-08-20 01:43:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 10:44:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\mcntqkdn.exe DWram "
.
Completion time: 2008-04-10 11:06:43
ComboFix-quarantined-files.txt 2008-04-10 18:05:41
ComboFix2.txt 2008-04-10 00:21:22
ComboFix3.txt 2008-04-09 01:29:34
Pre-Run: 26,798,997,504 bytes free
Post-Run: 26,784,583,680 bytes free
.
2008-03-17 14:43:13 --- E O F ---

#12 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 11 April 2008 - 09:46 AM

bamajim...just an update:
after keeping my computer connected to the internet all day/night yesterday...I noticed this am that the symantec proxy email popups were back up in the 100's! Sucks! :thumbsup:
When I jus rebooted...I had a green virus shield (I suppose it was MSFT) that said it downloaded and updated some mailicious software....fyi.

thx!

#13 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 11 April 2008 - 01:49 PM

winomore

It's being a sneaky devil. You have a couple of suspicious files I would like to ahev a look at.

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse.Using Windows Explorer

Locate the fileC:\WINDOWS\system32\raspmpkpqff.drv

In the comments tell them that I asked you to upload the file
Then Select Send File.

And upload this one as wellC:\WINDOWS\system32\adrsi.drv

Posted Image
Microsoft MVP - Windows Security

#14 winomore

winomore
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 11 April 2008 - 07:57 PM

bamajim! DONE! files were uploaded successfully.
hope we can get this crap off my computer...what a mess. thanks again for all the help!

Edited by winomore, 11 April 2008 - 07:57 PM.


#15 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 14 April 2008 - 08:15 AM

winomore

Got the files. Both unknown, but both bad. Thanks for sending them.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\system32\raspmpkpqff.drv
C:\WINDOWS\system32\adrsi.drv
C:\WINDOWS\system32\oiknoikhccq.dll

Driver::
dxgthkk
etn70
gjd70
Jfv27
jmx52
Jud65
Qgo74
Sft00
Ssm54
tli10

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"g]eeV\mWhjlnspB"=-
"nhfqmagm"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"tctngbmj"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Then Rerun Hijackthis and post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users