Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryp_tap-2


  • This topic is locked This topic is locked
16 replies to this topic

#1 dspeed

dspeed

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 21 April 2008 - 06:11 PM

I am helping my daughter clean up her laptop. Trend Micro can't remove Cryp_Tap-2. I have run dss.exe and Hijack This. Attaching the logs. PC runs PAINFULLY slow. Thanks very much!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 22 April 2008 - 06:27 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 22 April 2008 - 07:59 PM

Hi Sam,

Thanks so very much for the help!! I hope that I have done all this correctly. It does not seem overly complicated but it took forever to scan. I was not sure what to do after the hijackthis.log was created. It came up with the menu with the fix checked option. I did not take any action on that screen. Please let me know if I have missed any steps that are critical.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:46 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [BMc347e59f] Rundll32.exe "C:\WINDOWS\system32\cekfftng.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1659004503-73586283-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.goodle.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208558763734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6105 bytes

Attached Files


Edited by Buckeye_Sam, 23 April 2008 - 07:28 AM.


#4 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 22 April 2008 - 08:02 PM

oh also, forgot to mention Vundofix found no errors and did not actually reboot the pc. It seemed to hang up during the uninstall process. Should it be restarted? The VundoFix.exe is still present on my desktop.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 23 April 2008 - 07:30 AM

Going forward please copy and paste your logs directly into your post rather than attach them. It just makes it easier to review.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BMc347e59f] Rundll32.exe "C:\WINDOWS\system32\cekfftng.dll",s



Reboot your computer.





Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 24 April 2008 - 04:40 AM

Sam,

here you go!

ComboFix 08-04-22.5 - dspeed 2008-04-23 19:28:31.1 - NTFSx86
Running from: C:\Documents and Settings\dspeed\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\BMc347e59f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aoptrfwu.dll
C:\WINDOWS\system32\cekfftng.dll
C:\WINDOWS\system32\cuahxpwe.ini
C:\WINDOWS\system32\dxfdxsre.ini
C:\WINDOWS\system32\hnbfdfbv.ini
C:\WINDOWS\system32\iicrvsxv.ini
C:\WINDOWS\system32\jkmlmnpo.ini
C:\WINDOWS\system32\jkmlmnpo.ini2
C:\WINDOWS\system32\jptkakah.ini
C:\WINDOWS\system32\kxrsmypv.ini
C:\WINDOWS\system32\ltaiaqhv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ugxaupya.ini
C:\WINDOWS\system32\wmrmcxlo.dll
C:\WINDOWS\system32\xpawyglc.ini
C:\WINDOWS\system32\xyltgyxc.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-22 17:36 . 2008-04-22 17:36 <DIR> d-------- C:\VundoFix Backups
2008-04-21 18:11 . 2008-04-21 18:11 <DIR> d-------- C:\Deckard
2008-04-21 14:57 . 2008-04-21 14:57 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-21 14:57 . 2008-04-21 15:02 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-20 18:25 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 18:25 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-20 18:25 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-20 18:19 . 2008-04-21 18:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 12:34 . 2008-04-20 12:34 <DIR> d-------- C:\WINDOWS\system32\Log
2008-04-20 11:08 . 2008-04-20 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-20 09:56 . 2008-04-20 10:44 <DIR> d-------- C:\Documents and Settings\dspeed\Application Data\ICAClient
2008-04-20 09:46 . 2008-04-20 09:46 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-04-20 09:42 . 2008-04-20 09:42 <DIR> d-------- C:\Program Files\Citrix
2008-04-20 09:12 . 2004-08-03 15:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-20 09:11 . 2008-04-20 12:19 <DIR> d-------- C:\Documents and Settings\dspeed
2008-04-20 09:11 . 2008-04-23 21:02 1,024 --ah----- C:\Documents and Settings\dspeed\ntuser.dat.LOG
2008-04-20 04:37 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-20 04:37 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-18 17:25 . 2008-04-18 17:25 <DIR> d-------- C:\WINDOWS\Sun
2008-04-18 17:25 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-18 17:24 . 2008-04-18 17:25 <DIR> d-------- C:\Program Files\Java
2008-04-18 17:24 . 2008-04-18 17:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-18 16:42 . 2008-04-18 16:42 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-18 15:39 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-18 15:39 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-18 15:39 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-18 15:39 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-18 15:28 . 2008-04-18 15:31 <DIR> d-------- C:\Program Files\Nortel Networks
2008-04-18 15:28 . 2004-09-30 13:43 216,459 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys
2008-04-18 15:28 . 2004-09-30 13:42 38,939 --a------ C:\WINDOWS\system32\eacfilt.dll
2008-04-18 15:28 . 2004-10-08 09:42 32,837 --------- C:\WINDOWS\system32\exthook.dll
2008-04-18 15:28 . 2004-09-30 13:42 11,113 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys
2008-04-09 10:45 . 2008-04-09 10:46 287,232 --a------ C:\WINDOWS\system32\opnmlmkj.dll
2008-04-09 10:40 . 2008-04-09 10:40 40,960 --a------ C:\WINDOWS\system32\opnkhhhe.dll
2008-04-09 10:30 . 2008-04-20 13:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 10:30 . 2008-04-09 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\iTunes
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\iPod
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\Bonjour
2008-04-01 20:16 . 2008-04-01 20:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-01 20:16 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\QuickTime
2008-04-01 20:16 . 2008-04-01 20:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-01 20:16 . 2008-04-01 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 20:15 . 2008-04-01 20:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-01 20:15 . 2008-04-01 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-30 11:22 . 2008-03-30 11:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-30 10:54 . 2005-10-20 18:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-30 10:54 . 2005-10-20 18:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-30 10:53 . 2008-03-30 10:53 <DIR> d-------- C:\Program Files\Touch by HTC User Guide
2008-03-25 15:38 . 2008-04-18 16:43 <DIR> d-------- C:\Program Files\Common Files\System Doctor
2008-03-25 15:38 . 2008-04-18 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-03-25 15:38 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-25 15:38 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-25 15:38 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-25 15:38 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-25 11:28 . 2008-04-18 15:55 <DIR> d-------- C:\Program Files\MalwareAlarm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 23:36 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-18 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-18 22:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 08:32 --------- d-----w C:\Program Files\CONEXANT
2008-03-18 07:33 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-18 05:27 --------- d-----w C:\Program Files\Burn and Go X
2008-03-18 05:20 --------- d-----w C:\Program Files\Common Files\New Boundary
2008-03-18 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prism Deploy
2008-03-18 05:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-18 04:48 --------- d-----w C:\Program Files\ATI Technologies
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25B83FCD-9BB7-4B27-B7EC-C4ED24602603}]
2008-04-09 10:40 40960 --a------ C:\WINDOWS\system32\opnkhhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D128440-4084-4378-8F7F-B436788507D5}]
2008-04-09 10:46 287232 --a------ C:\WINDOWS\system32\opnmlmkj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 22:05 344064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{25B83FCD-9BB7-4B27-B7EC-C4ED24602603}"= C:\WINDOWS\system32\opnkhhhe.dll [2008-04-09 10:40 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhhhe]
opnkhhhe.dll 2008-04-09 10:40 40960 C:\WINDOWS\system32\opnkhhhe.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 03:16:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 20:59:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wbem\mof.xsl 9261 bytes
C:\WINDOWS\system32\wbem\mofcomp.exe 16384 bytes executable
C:\WINDOWS\system32\wbem\mofd.dll 123904 bytes executable
C:\WINDOWS\system32\wbem\msi.mfl 108452 bytes
C:\WINDOWS\system32\wbem\msi.mof 165430 bytes
C:\WINDOWS\system32\wbem\msiprov.dll 273920 bytes executable
C:\WINDOWS\system32\wbem\ncprov.dll 47104 bytes executable
C:\WINDOWS\system32\wbem\ncprov.mfl 626 bytes
C:\WINDOWS\system32\wbem\ncprov.mof 2880 bytes
C:\WINDOWS\system32\wbem\ntevt.dll 212992 bytes executable
C:\WINDOWS\system32\wbem\ntevt.mfl 20544 bytes
C:\WINDOWS\system32\wbem\ntevt.mof 29762 bytes
C:\WINDOWS\system32\wbem\Performance
C:\WINDOWS\system32\wbem\Performance\WmiApRpl.h 738 bytes
C:\WINDOWS\system32\wbem\Performance\WmiApRpl.ini 3824 bytes
C:\WINDOWS\system32\wbem\policman.dll 92672 bytes executable
C:\WINDOWS\system32\wbem\policman.mfl 4900 bytes
C:\WINDOWS\system32\wbem\policman.mof 12150 bytes
C:\WINDOWS\system32\wbem\provthrd.dll 237056 bytes executable
C:\WINDOWS\system32\wbem\rawxml.xsl 623 bytes
C:\WINDOWS\system32\wbem\regevent.mfl 38578 bytes
C:\WINDOWS\system32\wbem\textvaluelist.xsl 2766 bytes
C:\WINDOWS\system32\wbem\tmplprov.dll 61952 bytes executable
C:\WINDOWS\system32\wbem\tmplprov.mfl 7894 bytes
C:\WINDOWS\system32\wbem\tmplprov.mof 12144 bytes
C:\WINDOWS\system32\wbem\trnsprov.dll 59904 bytes executable
C:\WINDOWS\system32\wbem\trnsprov.mfl 2026 bytes
C:\WINDOWS\system32\wbem\trnsprov.mof 4998 bytes
C:\WINDOWS\system32\wbem\tscfgwmi.mfl 58096 bytes
C:\WINDOWS\system32\wbem\tscfgwmi.mof 99750 bytes
C:\WINDOWS\system32\wbem\unsecapp.exe 16896 bytes executable
C:\WINDOWS\system32\wbem\updprov.dll 116224 bytes executable
C:\WINDOWS\system32\wbem\updprov.mfl 13488 bytes
C:\WINDOWS\system32\wbem\updprov.mof 20720 bytes
C:\WINDOWS\system32\wbem\viewprov.dll 131584 bytes executable
C:\WINDOWS\system32\wbem\wbemads.dll 12288 bytes executable
C:\WINDOWS\system32\wbem\wbemads.tlb 31232 bytes executable
C:\WINDOWS\system32\wbem\wmiapsrv.exe 126464 bytes executable
C:\WINDOWS\system32\wbem\wmic.exe 358912 bytes executable
C:\WINDOWS\system32\wbem\wmiclimofformat.xsl 9442 bytes
C:\WINDOWS\system32\wbem\wmiclitableformat.xsl 3247 bytes
C:\WINDOWS\system32\wbem\wmiclitableformatnosys.xsl 3921 bytes
C:\WINDOWS\system32\wbem\wmiclivalueformat.xsl 485 bytes
C:\WINDOWS\system32\wbem\wmicookr.dll 60928 bytes executable
C:\WINDOWS\system32\wbem\wmidcprv.dll 140800 bytes executable
C:\WINDOWS\system32\wbem\wmimsg.dll 61440 bytes executable
C:\WINDOWS\system32\wbem\wmipcima.dll 156672 bytes executable
C:\WINDOWS\system32\wbem\wmipcima.mfl 28846 bytes
C:\WINDOWS\system32\wbem\wmipcima.mof 41402 bytes
C:\WINDOWS\system32\wbem\wmipdskq.dll 132096 bytes executable
C:\WINDOWS\system32\wbem\licwmi.mof 15586 bytes
C:\WINDOWS\system32\wbem\Logs
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 15416 bytes
C:\WINDOWS\system32\wbem\Logs\FrameWork.lo_ 65536 bytes
C:\WINDOWS\system32\wbem\Logs\mofcomp.log 10831 bytes
C:\WINDOWS\system32\wbem\Logs\replog.log 400 bytes
C:\WINDOWS\system32\wbem\Logs\setup.log 4961 bytes
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 142 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.log 64238 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.lo_ 65616 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 47144 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.lo_ 65611 bytes
C:\WINDOWS\system32\wbem\Logs\WinMgmt.log 94 bytes
C:\WINDOWS\system32\wbem\Logs\wmiadap.log 2999 bytes
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 24529 bytes

scan completed successfully
hidden files: 65

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnkhhhe.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-23 21:45:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 04:39:21

Pre-Run: 69,410,512,896 bytes free
Post-Run: 69,364,367,360 bytes free

232 --- E O F --- 2008-04-23 10:37:50

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 24 April 2008 - 08:57 AM

We're just about there.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\opnkhhhe.dll
C:\WINDOWS\system32\opnmlmkj.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25B83FCD-9BB7-4B27-B7EC-C4ED24602603}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D128440-4084-4378-8F7F-B436788507D5}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 24 April 2008 - 08:09 PM

Hi Sam,

Here's the next log....

ComboFix 08-04-22.5 - dspeed 2008-04-24 19:04:32.2 - NTFSx86
Running from: C:\Documents and Settings\dspeed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\dspeed\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\opnkhhhe.dll
C:\WINDOWS\system32\opnmlmkj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkmlmnpo.ini
C:\WINDOWS\system32\jkmlmnpo.ini2
C:\WINDOWS\system32\opnkhhhe.dll
C:\WINDOWS\system32\opnmlmkj.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-22 17:36 . 2008-04-22 17:36 <DIR> d-------- C:\VundoFix Backups
2008-04-21 18:11 . 2008-04-21 18:11 <DIR> d-------- C:\Deckard
2008-04-21 14:57 . 2008-04-21 14:57 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-21 14:57 . 2008-04-21 15:02 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-20 18:25 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 18:25 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-20 18:25 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-20 18:19 . 2008-04-21 18:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 12:34 . 2008-04-20 12:34 <DIR> d-------- C:\WINDOWS\system32\Log
2008-04-20 11:08 . 2008-04-20 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-20 09:56 . 2008-04-20 10:44 <DIR> d-------- C:\Documents and Settings\dspeed\Application Data\ICAClient
2008-04-20 09:46 . 2008-04-20 09:46 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-04-20 09:42 . 2008-04-20 09:42 <DIR> d-------- C:\Program Files\Citrix
2008-04-20 09:12 . 2004-08-03 15:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-20 09:11 . 2008-04-20 12:19 <DIR> d-------- C:\Documents and Settings\dspeed
2008-04-20 09:11 . 2008-04-24 20:22 1,024 --ah----- C:\Documents and Settings\dspeed\ntuser.dat.LOG
2008-04-20 04:37 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-20 04:37 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-18 17:25 . 2008-04-18 17:25 <DIR> d-------- C:\WINDOWS\Sun
2008-04-18 17:25 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-18 17:24 . 2008-04-18 17:25 <DIR> d-------- C:\Program Files\Java
2008-04-18 17:24 . 2008-04-18 17:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-18 16:42 . 2008-04-18 16:42 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-18 15:39 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-18 15:39 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-18 15:39 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-18 15:39 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-18 15:28 . 2008-04-18 15:31 <DIR> d-------- C:\Program Files\Nortel Networks
2008-04-18 15:28 . 2004-09-30 13:43 216,459 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys
2008-04-18 15:28 . 2004-09-30 13:42 38,939 --a------ C:\WINDOWS\system32\eacfilt.dll
2008-04-18 15:28 . 2004-10-08 09:42 32,837 --a------ C:\WINDOWS\system32\exthook.dll
2008-04-18 15:28 . 2004-09-30 13:42 11,113 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys
2008-04-09 10:30 . 2008-04-20 13:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 10:30 . 2008-04-09 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\iTunes
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\iPod
2008-04-01 20:17 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\Bonjour
2008-04-01 20:16 . 2008-04-01 20:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-01 20:16 . 2008-04-01 20:17 <DIR> d-------- C:\Program Files\QuickTime
2008-04-01 20:16 . 2008-04-01 20:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-01 20:16 . 2008-04-01 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-01 20:15 . 2008-04-01 20:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-01 20:15 . 2008-04-01 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-30 11:22 . 2008-03-30 11:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-30 10:54 . 2005-10-20 18:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-30 10:54 . 2005-10-20 18:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-30 10:53 . 2008-03-30 10:53 <DIR> d-------- C:\Program Files\Touch by HTC User Guide
2008-03-25 15:38 . 2008-04-18 16:43 <DIR> d-------- C:\Program Files\Common Files\System Doctor
2008-03-25 15:38 . 2008-04-18 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-03-25 15:38 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-25 15:38 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-25 15:38 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-25 15:38 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-25 11:28 . 2008-04-18 15:55 <DIR> d-------- C:\Program Files\MalwareAlarm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 01:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-18 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-18 22:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 08:32 --------- d-----w C:\Program Files\CONEXANT
2008-03-18 07:33 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-18 05:27 --------- d-----w C:\Program Files\Burn and Go X
2008-03-18 05:20 --------- d-----w C:\Program Files\Common Files\New Boundary
2008-03-18 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prism Deploy
2008-03-18 05:03 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-18 04:48 --------- d-----w C:\Program Files\ATI Technologies
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_21.10.37.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 03:42:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 03:07:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 22:05 344064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 14:19 1398024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhhhe]
opnkhhhe.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 03:16:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 20:16:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wbem\mof.xsl 9261 bytes
C:\WINDOWS\system32\wbem\mofcomp.exe 16384 bytes executable
C:\WINDOWS\system32\wbem\mofd.dll 123904 bytes executable
C:\WINDOWS\system32\wbem\msi.mfl 108452 bytes
C:\WINDOWS\system32\wbem\msi.mof 165430 bytes
C:\WINDOWS\system32\wbem\msiprov.dll 273920 bytes executable
C:\WINDOWS\system32\wbem\ncprov.dll 47104 bytes executable
C:\WINDOWS\system32\wbem\ncprov.mfl 626 bytes
C:\WINDOWS\system32\wbem\ncprov.mof 2880 bytes
C:\WINDOWS\system32\wbem\ntevt.dll 212992 bytes executable
C:\WINDOWS\system32\wbem\ntevt.mfl 20544 bytes
C:\WINDOWS\system32\wbem\ntevt.mof 29762 bytes
C:\WINDOWS\system32\wbem\Performance
C:\WINDOWS\system32\wbem\Performance\WmiApRpl.h 738 bytes
C:\WINDOWS\system32\wbem\Performance\WmiApRpl.ini 3824 bytes
C:\WINDOWS\system32\wbem\policman.dll 92672 bytes executable
C:\WINDOWS\system32\wbem\policman.mfl 4900 bytes
C:\WINDOWS\system32\wbem\policman.mof 12150 bytes
C:\WINDOWS\system32\wbem\provthrd.dll 237056 bytes executable
C:\WINDOWS\system32\wbem\rawxml.xsl 623 bytes
C:\WINDOWS\system32\wbem\regevent.mfl 38578 bytes
C:\WINDOWS\system32\wbem\textvaluelist.xsl 2766 bytes
C:\WINDOWS\system32\wbem\tmplprov.dll 61952 bytes executable
C:\WINDOWS\system32\wbem\tmplprov.mfl 7894 bytes
C:\WINDOWS\system32\wbem\tmplprov.mof 12144 bytes
C:\WINDOWS\system32\wbem\trnsprov.dll 59904 bytes executable
C:\WINDOWS\system32\wbem\trnsprov.mfl 2026 bytes
C:\WINDOWS\system32\wbem\trnsprov.mof 4998 bytes
C:\WINDOWS\system32\wbem\tscfgwmi.mfl 58096 bytes
C:\WINDOWS\system32\wbem\tscfgwmi.mof 99750 bytes
C:\WINDOWS\system32\wbem\unsecapp.exe 16896 bytes executable
C:\WINDOWS\system32\wbem\updprov.dll 116224 bytes executable
C:\WINDOWS\system32\wbem\updprov.mfl 13488 bytes
C:\WINDOWS\system32\wbem\updprov.mof 20720 bytes
C:\WINDOWS\system32\wbem\viewprov.dll 131584 bytes executable
C:\WINDOWS\system32\wbem\wbemads.dll 12288 bytes executable
C:\WINDOWS\system32\wbem\wbemads.tlb 31232 bytes executable
C:\WINDOWS\system32\wbem\wmiapsrv.exe 126464 bytes executable
C:\WINDOWS\system32\wbem\wmic.exe 358912 bytes executable
C:\WINDOWS\system32\wbem\wmiclimofformat.xsl 9442 bytes
C:\WINDOWS\system32\wbem\wmiclitableformat.xsl 3247 bytes
C:\WINDOWS\system32\wbem\wmiclitableformatnosys.xsl 3921 bytes
C:\WINDOWS\system32\wbem\wmiclivalueformat.xsl 485 bytes
C:\WINDOWS\system32\wbem\wmicookr.dll 60928 bytes executable
C:\WINDOWS\system32\wbem\wmidcprv.dll 140800 bytes executable
C:\WINDOWS\system32\wbem\wmimsg.dll 61440 bytes executable
C:\WINDOWS\system32\wbem\wmipcima.dll 156672 bytes executable
C:\WINDOWS\system32\wbem\wmipcima.mfl 28846 bytes
C:\WINDOWS\system32\wbem\wmipcima.mof 41402 bytes
C:\WINDOWS\system32\wbem\wmipdskq.dll 132096 bytes executable
C:\WINDOWS\system32\wbem\licwmi.mof 15586 bytes
C:\WINDOWS\system32\wbem\Logs
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 15416 bytes
C:\WINDOWS\system32\wbem\Logs\FrameWork.lo_ 65536 bytes
C:\WINDOWS\system32\wbem\Logs\mofcomp.log 10831 bytes
C:\WINDOWS\system32\wbem\Logs\replog.log 400 bytes
C:\WINDOWS\system32\wbem\Logs\setup.log 4961 bytes
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 142 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.log 64238 bytes
C:\WINDOWS\system32\wbem\Logs\wbemess.lo_ 65616 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 33770 bytes
C:\WINDOWS\system32\wbem\Logs\wbemprox.lo_ 65604 bytes
C:\WINDOWS\system32\wbem\Logs\WinMgmt.log 94 bytes
C:\WINDOWS\system32\wbem\Logs\wmiadap.log 2999 bytes
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 24529 bytes

scan completed successfully
hidden files: 65

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-24 21:01:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 03:56:59
ComboFix2.txt 2008-04-24 04:45:49

Pre-Run: 69,572,440,064 bytes free
Post-Run: 69,561,671,680 bytes free

210 --- E O F --- 2008-04-24 10:19:21

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 25 April 2008 - 03:08 AM

There is a file in your log that I'd like to get some more info on.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\DCEBoot.exe


  • Click on the submit button
  • Please post the results in your next reply.

Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 25 April 2008 - 06:04 AM

File: DCEBoot.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 418b55d63e00d953a1532a831308574e
Packers detected: -
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 25 Apr 2008 10:57:42 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#11 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 25 April 2008 - 06:12 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:49 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1659004503-73586283-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.goodle.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208558763734
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: opnkhhhe - opnkhhhe.dll (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5567 bytes

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 25 April 2008 - 07:42 AM

Fix this line with hijackthis.

O20 - Winlogon Notify: opnkhhhe - opnkhhhe.dll (file missing)


Otherwise your log looks good.
How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 25 April 2008 - 06:08 PM

Sam,

I see no problems like popups and things virus-obvious...but it runs extremely slow. Thank you very much for helping remove the virus(s)!

#14 dspeed

dspeed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 25 April 2008 - 06:42 PM

Ok well, on reboot to see if it would run faster, I got this before windows started....

SMART Failure Predicted on Hard Disk 0: HTS541010G9AT00-(PM)

WARNING: Immediately back-up your data and replace your hard drive. A failure may be imminent.

Press F1 to Continue.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:56 AM

Posted 26 April 2008 - 02:03 AM

I would definitely back up your data and save everything that you can not afford to lose. From my experience this does mean that your drive is likely to fail. It could happen tomorrow, or it may not happen for months. But it is very likely that it will happen.

You may want to post into the hardware forum here for some more specific info.
http://www.bleepingcomputer.com/forums/ind...&s=&f=7
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users