Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/popups That Resist Attempts To Remove


  • This topic is locked This topic is locked
13 replies to this topic

#1 russgrad

russgrad

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 02 April 2008 - 02:13 PM

This problem with a WinXP pc that I've run scans by Spybot, AdAware, Command Antivirus, VundoFix and CCleaner. Each problem has been cleaned off, just to see them reappear within a few hours. I'm hoping you folks can help. I also have a RUNDLL error I get upon restarting that says "Error loading C:\WINDOWS\system32\sknkhuot.dll". I'm wondering if this is connected to all of these other issues. Here's the Hijack This logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:00 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Authentium\AntiVirus\schscnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
O4 - HKLM\..\Run: [54b53fd5] rundll32.exe "C:\WINDOWS\system32\itqcgkqv.dll",b
O4 - HKLM\..\Run: [BM57860c49] Rundll32.exe "C:\WINDOWS\system32\xmngkjjf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E323FBF3-E089-4AB4-94D3-2769FA2375A2}: NameServer = 12.127.16.67,12.127.17.71
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4785 bytes


Thanks for any help you can give.

Daryl
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 09 April 2008 - 03:53 AM

Hello and welcome to BleepingComputer. :thumbsup:

Please follow the instructions for running ComboFix here and post the log in your next reply.
Hi there, stranger!

#3 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 09 April 2008 - 01:38 PM

Thanks Rawe,

I've not seen it discussed up till now, but ComboFix rebooted my PC. It's been 2 1/2 hours and the desktop has not restored and all I have is the blue window that says ComboFix almost done...log will be posted at...

Is this normal? The cleaning and such only took 20 minutes +/-

Russgrad
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#4 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 06:49 AM

ComboFix ran with the blue window open for 5 1/2 hours. I finally just shut it down. This morning, I checked for the ComboFix.txt document and here's what was there:



ComboFix 08-04-08.10 - User 2008-04-09 11:45:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.320 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\temp\tn3
C:\WINDOWS\BM57860c49.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atrgsxfw.ini
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\bnogxsdf.ini
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drivers\netbtt.sys
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\halnpmlf.dll
C:\WINDOWS\system32\kmmdrvru.ini
C:\WINDOWS\system32\ldrnlhrp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\oliamkir.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\rnrrogyw.ini
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\skuskpei.ini
C:\WINDOWS\system32\ssqnool.dll
C:\WINDOWS\system32\touhknks.ini
C:\WINDOWS\system32\veeulhoe.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_netbtt
-------\Legacy_netbtt
-------\netbtt


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 11:38 . 2008-04-09 11:38 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 11:30 . 2008-04-09 11:31 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-09 11:15 . 2008-04-09 11:15 3,648 --a------ C:\WINDOWS\system32\cdriqane.dll
2008-04-04 07:39 . 2008-04-04 07:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-03 09:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-03 09:01 . 2008-04-03 09:02 <DIR> d-------- C:\Program Files\Java
2008-04-03 08:59 . 2008-04-03 08:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 14:50 . 2008-04-03 09:21 534 --ahs---- C:\WINDOWS\system32\vqkgcqti.ini
2008-04-01 15:33 . 2008-04-01 15:33 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-01 07:33 . 2008-04-01 14:59 1,600,768 --ahs---- C:\WINDOWS\system32\wyefnqim.ini
2008-03-31 15:30 . 2008-03-31 15:30 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-03-31 11:29 . 2008-03-31 11:29 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-03-31 07:33 . 2008-04-01 07:33 1,597,402 --ahs---- C:\WINDOWS\system32\vshnyaqi.ini
2008-03-28 15:25 . 2008-03-28 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 15:25 . 2008-03-28 15:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-28 15:25 . 2008-03-28 15:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-28 15:25 . 2008-03-28 15:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 14:42 . 2008-03-31 07:30 1,583,428 --ahs---- C:\WINDOWS\system32\sprquqmv.ini
2008-03-28 10:29 . 2008-03-28 11:54 1,584,199 --ahs---- C:\WINDOWS\system32\wbubwltq.ini
2008-03-28 10:23 . 2008-03-28 10:23 294 --ahs---- C:\WINDOWS\system32\rbrkmeid.ini
2008-03-28 10:06 . 2008-04-04 08:31 <DIR> d-------- C:\VundoFix Backups
2008-03-27 10:54 . 2008-03-27 10:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 10:54 . 2008-03-27 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 10:53 . 2008-03-27 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 10:43 . 2008-03-28 09:41 1,584,102 --ahs---- C:\WINDOWS\system32\rdandtlk.ini
2008-03-27 07:38 . 2008-03-27 10:11 1,583,115 --ahs---- C:\WINDOWS\system32\scxfjhoq.ini
2008-03-26 15:12 . 2008-04-04 09:27 1,882 --a------ C:\WINDOWS\wininit.ini
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\CCleaner
2008-03-26 14:51 . 2008-03-28 15:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-26 14:51 . 2008-03-26 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-26 11:26 . 2008-03-26 13:46 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-26 11:26 . 2008-03-26 13:57 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-26 11:26 . 2008-04-09 11:45 <DIR> d-------- C:\Temp
2008-03-26 11:26 . 2008-03-26 11:26 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-03-15 08:43 . 2008-03-15 08:43 32,768 --a------ C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 19:55 --------- d-----w C:\Program Files\Windows Defender
2008-03-28 19:50 --------- d-----w C:\Program Files\Browser Mouse
2008-02-27 22:33 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-27 22:33 --------- d-----w C:\Program Files\Authentium
2008-02-12 15:33 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3807FEA1-96B2-4103-A9A1-BA498C584BE2}]
C:\WINDOWS\system32\pmnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAA9BE6-489F-4A68-B5BA-AABCEE6AB3D0}]
C:\WINDOWS\system32\vtsqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-14 12:20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-12-14 12:07 118784]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\mouse32a.exe" [2004-12-31 01:17 360448]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [2004-12-31 01:19 207360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [2008-01-04 17:17 75056]
"cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [2008-01-04 17:17 99632]
"avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [2008-01-04 17:17 62768]
"dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [2008-01-04 17:17 116016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxus]
yayxxus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9959:TCP"= 9959:TCP:ESP


.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 13:00:00 C:\WINDOWS\Tasks\Enterprise update for Command AntiVirus.job"
- C:\Program Files\Authentium\AntiVirus\cuagent.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 11:49:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 10 April 2008 - 07:53 AM

Let's run SDFix, then continue with ComboFix. :thumbsup: There's quite a few files to get rid of.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SDFix and save it to your desktop.
  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear.
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a fresh ComboFix log after running it again.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Hi there, stranger!

#6 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 10:33 AM

Thanks Rawe, this time it all went off without a hitch.

Here's the SDFix report (ComboFix will be next):


SDFix: Version 1.168
Run by User on 2008-04-10 at 11:20

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted



Folder C:\WINDOWS\system32\aqVreo01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 11:24:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe"="C:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe:*:Disabled:wIntegrate Session Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Finished!


Now for the ComboFix report:

ComboFix 08-04-08.10 - User 2008-04-10 11:27:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.330 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\temp\tn3
C:\WINDOWS\BM57860c49.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atrgsxfw.ini
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\bnogxsdf.ini
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drivers\netbtt.sys
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\halnpmlf.dll
C:\WINDOWS\system32\kmmdrvru.ini
C:\WINDOWS\system32\ldrnlhrp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\oliamkir.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\rnrrogyw.ini
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\skuskpei.ini
C:\WINDOWS\system32\ssqnool.dll
C:\WINDOWS\system32\touhknks.ini
C:\WINDOWS\system32\veeulhoe.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_netbtt
-------\Legacy_netbtt
-------\netbtt


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 11:18 . 2008-04-10 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 11:15 . 2008-04-10 11:15 <DIR> d-------- C:\SDFix
2008-04-09 11:38 . 2008-04-09 11:38 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 11:30 . 2008-04-09 11:31 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-09 11:15 . 2008-04-09 11:15 3,648 --a------ C:\WINDOWS\system32\cdriqane.dll
2008-04-04 07:39 . 2008-04-04 07:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-03 09:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-03 09:01 . 2008-04-03 09:02 <DIR> d-------- C:\Program Files\Java
2008-04-03 08:59 . 2008-04-03 08:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 14:50 . 2008-04-03 09:21 534 --ahs---- C:\WINDOWS\system32\vqkgcqti.ini
2008-04-01 15:33 . 2008-04-01 15:33 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-01 07:33 . 2008-04-01 14:59 1,600,768 --ahs---- C:\WINDOWS\system32\wyefnqim.ini
2008-03-31 15:30 . 2008-03-31 15:30 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-03-31 11:29 . 2008-03-31 11:29 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-03-31 07:33 . 2008-04-01 07:33 1,597,402 --ahs---- C:\WINDOWS\system32\vshnyaqi.ini
2008-03-28 15:25 . 2008-03-28 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 15:25 . 2008-03-28 15:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-28 15:25 . 2008-03-28 15:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-28 15:25 . 2008-03-28 15:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 14:42 . 2008-03-31 07:30 1,583,428 --ahs---- C:\WINDOWS\system32\sprquqmv.ini
2008-03-28 10:29 . 2008-03-28 11:54 1,584,199 --ahs---- C:\WINDOWS\system32\wbubwltq.ini
2008-03-28 10:23 . 2008-03-28 10:23 294 --ahs---- C:\WINDOWS\system32\rbrkmeid.ini
2008-03-28 10:06 . 2008-04-04 08:31 <DIR> d-------- C:\VundoFix Backups
2008-03-27 10:54 . 2008-03-27 10:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 10:54 . 2008-03-27 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 10:53 . 2008-03-27 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 10:43 . 2008-03-28 09:41 1,584,102 --ahs---- C:\WINDOWS\system32\rdandtlk.ini
2008-03-27 07:38 . 2008-03-27 10:11 1,583,115 --ahs---- C:\WINDOWS\system32\scxfjhoq.ini
2008-03-26 15:12 . 2008-04-04 09:27 1,882 --a------ C:\WINDOWS\wininit.ini
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\CCleaner
2008-03-26 14:51 . 2008-03-28 15:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-26 14:51 . 2008-03-26 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-26 11:26 . 2008-03-26 13:46 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-26 11:26 . 2008-03-26 13:57 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-26 11:26 . 2008-04-09 11:45 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 19:55 --------- d-----w C:\Program Files\Windows Defender
2008-03-28 19:50 --------- d-----w C:\Program Files\Browser Mouse
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-27 22:33 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-27 22:33 --------- d-----w C:\Program Files\Authentium
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-12 15:33 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_11.50.00.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-09 14:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-10 15:19:07 2,777,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:19:07 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-09 14:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-10 15:18:58 2,777,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:18:58 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3807FEA1-96B2-4103-A9A1-BA498C584BE2}]
C:\WINDOWS\system32\pmnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAA9BE6-489F-4A68-B5BA-AABCEE6AB3D0}]
C:\WINDOWS\system32\vtsqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-14 12:20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-12-14 12:07 118784]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\mouse32a.exe" [2004-12-31 01:17 360448]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [2004-12-31 01:19 207360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [2008-01-04 17:17 75056]
"cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [2008-01-04 17:17 99632]
"avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [2008-01-04 17:17 62768]
"dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [2008-01-04 17:17 116016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxus]
yayxxus.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9959:TCP"= 9959:TCP:ESP


.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 13:00:01 C:\WINDOWS\Tasks\Enterprise update for Command AntiVirus.job"
- C:\Program Files\Authentium\AntiVirus\cuagent.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 11:28:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 11:29:06
ComboFix-quarantined-files.txt 2008-04-10 15:28:55
Pre-Run: 31,624,933,376 bytes free
Post-Run: 31,616,380,928 bytes free
.
2008-04-09 15:40:24 --- E O F ---
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 10 April 2008 - 11:12 AM

Hello again. :thumbsup:

We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
Please open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\cdriqane.dll
C:\WINDOWS\system32\vqkgcqti.ini
C:\WINDOWS\system32\wyefnqim.ini
C:\WINDOWS\system32\vshnyaqi.ini
C:\WINDOWS\system32\sprquqmv.ini
C:\WINDOWS\system32\wbubwltq.ini
C:\WINDOWS\system32\rbrkmeid.ini
C:\WINDOWS\system32\rdandtlk.ini
C:\WINDOWS\system32\scxfjhoq.ini

Folder::
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\winz1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3807FEA1-96B2-4103-A9A1-BA498C584BE2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAAA9BE6-489F-4A68-B5BA-AABCEE6AB3D0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxxus]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------

Also....

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :blink:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#8 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 11:35 AM

Here's the Combofix log:

ComboFix 08-04-08.10 - User 2008-04-10 12:32:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.308 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\cdriqane.dll
C:\WINDOWS\system32\rbrkmeid.ini
C:\WINDOWS\system32\rdandtlk.ini
C:\WINDOWS\system32\scxfjhoq.ini
C:\WINDOWS\system32\sprquqmv.ini
C:\WINDOWS\system32\vqkgcqti.ini
C:\WINDOWS\system32\vshnyaqi.ini
C:\WINDOWS\system32\wbubwltq.ini
C:\WINDOWS\system32\wyefnqim.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\cdriqane.dll
C:\WINDOWS\system32\rbrkmeid.ini
C:\WINDOWS\system32\rdandtlk.ini
C:\WINDOWS\system32\scxfjhoq.ini
C:\WINDOWS\system32\sprquqmv.ini
C:\WINDOWS\system32\vqkgcqti.ini
C:\WINDOWS\system32\vshnyaqi.ini
C:\WINDOWS\system32\wbubwltq.ini
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\wyefnqim.ini
C:\WINDOWS\system32\xTmp

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 11:18 . 2008-04-10 11:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 11:15 . 2008-04-10 11:15 <DIR> d-------- C:\SDFix
2008-04-09 11:38 . 2008-04-09 11:38 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-04 07:39 . 2008-04-04 07:39 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-03 09:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-03 09:01 . 2008-04-03 09:02 <DIR> d-------- C:\Program Files\Java
2008-04-03 08:59 . 2008-04-03 08:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 15:33 . 2008-04-01 15:33 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-03-31 15:30 . 2008-03-31 15:30 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-03-31 11:29 . 2008-03-31 11:29 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-03-28 15:25 . 2008-03-28 16:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 15:25 . 2008-03-28 15:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-28 15:25 . 2008-03-28 15:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-28 15:25 . 2008-03-28 15:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 10:06 . 2008-04-04 08:31 <DIR> d-------- C:\VundoFix Backups
2008-03-27 10:54 . 2008-03-27 10:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 10:54 . 2008-03-27 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 10:53 . 2008-03-27 10:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 15:12 . 2008-04-04 09:27 1,882 --a------ C:\WINDOWS\wininit.ini
2008-03-26 14:52 . 2008-03-26 14:52 <DIR> d-------- C:\Program Files\CCleaner
2008-03-26 14:51 . 2008-03-28 15:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-26 14:51 . 2008-03-26 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 11:26 . 2008-03-26 13:57 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-26 11:26 . 2008-03-26 11:26 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-26 11:26 . 2008-04-09 11:45 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 19:55 --------- d-----w C:\Program Files\Windows Defender
2008-03-28 19:50 --------- d-----w C:\Program Files\Browser Mouse
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-27 22:33 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-27 22:33 --------- d-----w C:\Program Files\Authentium
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-12 15:33 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_11.50.00.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-09 14:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-10 15:19:07 2,777,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:19:07 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-09 14:45:49 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-10 15:18:58 2,777,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:18:58 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-14 12:20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-12-14 12:07 118784]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\mouse32a.exe" [2004-12-31 01:17 360448]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [2004-12-31 01:19 207360]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CSAV_CheckViruses"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe" [2008-01-04 17:17 75056]
"cuagent"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe" [2008-01-04 17:17 99632]
"avtray"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe" [2008-01-04 17:17 62768]
"dvprpt"="C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe" [2008-01-04 17:17 116016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9959:TCP"= 9959:TCP:ESP


.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 13:00:01 C:\WINDOWS\Tasks\Enterprise update for Command AntiVirus.job"
- C:\Program Files\Authentium\AntiVirus\cuagent.exe
"2008-04-10 16:31:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 12:32:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 12:33:20
ComboFix-quarantined-files.txt 2008-04-10 16:33:09
ComboFix2.txt 2008-04-10 15:29:07
Pre-Run: 32,162,549,760 bytes free
Post-Run: 32,145,145,856 bytes free
.
2008-04-09 15:40:24 --- E O F ---


The Malwarebytes log to follow.
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#9 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 11:48 AM

Thanks for waiting :thumbsup: , here's the Malwarebytes log file. I await further instruction Obi Wan.

Malwarebytes' Anti-Malware 1.11
Database version: 606

Scan type: Quick Scan
Objects scanned: 28758
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WINCTL32.DLL (Dialer) -> Quarantined and deleted successfully.
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 10 April 2008 - 12:30 PM

Much better. :thumbsup:

Go ahead and uninstall Malwarebytes' if you wish.

Post back with a fresh HijackThis log & let me know how's the system running at the moment?
Hi there, stranger!

#11 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 01:24 PM

Starts up much faster, seems to not stall as it did. Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:30 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Authentium\AntiVirus\schscnt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\vchk.exe
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\cuagent.exe /v
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\ANTIVI~1\dvprpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E323FBF3-E089-4AB4-94D3-2769FA2375A2}: NameServer = 12.127.16.67,12.127.17.71
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\AntiVirus\schscnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5491 bytes
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 10 April 2008 - 01:28 PM

If you haven't set these restrictions with either SpyBot or yourself manually, go ahead and check & fix the following objects after a HijackThis rescan:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Other than that... Looking good. :thumbsup:

For some housekeeping ......

Click Start -> Run and type in:

ComboFix /u

Click on OK. When shown the disclaimer, select 2.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#13 russgrad

russgrad
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 April 2008 - 02:09 PM

Running much better Rawe! :thumbsup:

Thanks for all of your help (and Bleeping Computer)!
Make a Fast Friend!
Adopt a Retired Racing Greyhound!
Adopt a Greyhound Link

Our Group Website

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:03 PM

Posted 12 April 2008 - 07:01 AM

You're very welcome. :thumbsup:

Since this issue appears to be resolved, this topic has been closed.
Should another issue arise, feel free to start a new topic.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users