Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic 10


  • This topic is locked This topic is locked
1 reply to this topic

#1 tigerpolk

tigerpolk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 13 June 2008 - 10:03 PM

Hello,

Hopefully I am posting this in the right area. I know it is pretty important to do so. This is my situation:

I was having a problem with Spybot removing about 57 issues. Periodically (getting more and more frequent however), Ad-Aware would pop-up with an infected file. It seemed to show the same files over and over. The files were virtumonde.dll, vundo.n, and something with .aspx or somehting. Sorry, I didn't make note of it. Other things that I noticed were that the clocked changed to military time and had "Virus Alert!" next to it. Many of my desktop icons were removed and my start menu setup was changed (shortcuts to run, search, control panel, my pictures, my documents, my computer, my music, and a few others were missing).

Anyway, I found a post (the link is to the post was http://www.bleepingcomputer.com/forums/topic145291.html) that I began following the advice of. This is what I did, step by step:

1. After determining that AVG, Ad-Aware, and Spybot weren't taken care of the problem, and they also weren't updating properly either, I uninstalled all of the programs, turned off my system restore.
2. I uninstalled all of the Java updates from the Add/Remove list.
3. I ran disk cleanup and the defragmenter.
4. I cleaned the cache, cookies, recycle bin, and internet files for internet explorer.
5. I downloaded and used Malwarebytes' Anti-Malware. I did the quick scan and cleaned infections found (22 total). I then ran the full scan where another 5 infections were found and cleaned.
6. I downloaded Combofix along with Windows XP Recovery Console, and followed all of the directions shown here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
7. Upon receiving the Combofix log, I redownloaded and updated AVG, Ad-Aware, and Spybot.
8. After posting this, I plan on finding and reinstalling all of the Java stuff.

I've noticed everything has been going back to normal after step 5. My main goal of this post is to see if all of the steps worked completely. Below I posted the Combofix log and would like to see if the experts have any further recommendations. For example, do I need to run HijackThis, DSS, or Kaspersky Online Scanner.

ComboFix 08-06-12.2 - 2008-06-13 18:57:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.481 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outlook
C:\Program Files\winupdates
C:\WINDOWS\Fonts\CALIBRIB.TTF
C:\WINDOWS\system32\aHkmoUtv.ini
C:\WINDOWS\system32\aHkmoUtv.ini2
C:\WINDOWS\system32\efsjtenu.ini
C:\WINDOWS\system32\gqpyogqs.ini
C:\WINDOWS\system32\tsnpebop.ini
C:\WINDOWS\system32\uDLkmnnn.ini
C:\WINDOWS\system32\uDLkmnnn.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-13 17:36 . 2008-06-13 17:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 17:36 . 2008-06-13 17:36 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Malwarebytes
2008-06-13 17:36 . 2008-06-13 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 17:36 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 17:36 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 17:16 . 2008-06-13 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-08 22:29 . 2008-06-08 22:29 320,256 --------- C:\WINDOWS\system32\pmnmnkJA.dll_old
2008-06-08 21:29 . 2008-06-08 21:29 320,256 --------- C:\WINDOWS\system32\jkkLFvSi.dll_old
2008-06-08 15:29 . 2008-06-08 15:29 320,256 --------- C:\WINDOWS\system32\ssqQjJYq.dll_old
2008-06-08 14:29 . 2008-06-08 14:29 320,256 --------- C:\WINDOWS\system32\opnmjIyY.dll_old
2008-06-08 13:28 . 2008-06-08 13:28 320,256 --------- C:\WINDOWS\system32\rqRLcBRk.dll_old
2008-06-07 22:55 . 2008-06-07 22:55 320,768 --------- C:\WINDOWS\system32\khfDvwWm.dll_old
2008-06-07 20:55 . 2008-06-07 20:55 320,768 --------- C:\WINDOWS\system32\iifdeBuU.dll_old
2008-06-07 19:55 . 2008-06-07 19:55 320,768 --------- C:\WINDOWS\system32\opnKBTlk.dll_old
2008-06-07 18:55 . 2008-06-07 18:55 320,768 --------- C:\WINDOWS\system32\jkkKbXqO.dll_old
2008-06-07 17:55 . 2008-06-07 17:55 320,768 --------- C:\WINDOWS\system32\tuvSkLBS.dll_old
2008-06-07 16:55 . 2008-06-07 16:55 320,768 --------- C:\WINDOWS\system32\jkklmKeE.dll_old
2008-06-07 13:55 . 2008-06-07 13:55 320,768 --------- C:\WINDOWS\system32\hgGvvtut.dll_old
2008-06-07 11:55 . 2008-06-07 11:55 320,768 --------- C:\WINDOWS\system32\mlJBSjGV.dll_old
2008-06-07 10:55 . 2008-06-07 10:55 320,768 --------- C:\WINDOWS\system32\ljJArrpn.dll_old
2008-06-05 09:32 . 2008-06-05 09:33 324,864 --------- C:\WINDOWS\system32\pmnnNfFy.dll_old
2008-05-25 12:49 . 2008-05-25 14:20 94 --a------ C:\WINDOWS\MusicRip.ini
2008-05-25 12:49 . 2008-05-25 12:49 20 --ahs---- C:\ArcDeviceInfo
2008-05-25 12:47 . 2008-05-25 12:48 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\ArcSoft
2008-05-25 12:45 . 2008-05-25 12:45 <DIR> d-------- C:\Program Files\INITIO
2008-05-25 12:45 . 2004-05-10 00:59 13,696 --a------ C:\WINDOWS\system32\drivers\inigpio.sys
2008-05-25 12:45 . 2005-04-26 19:38 4,736 --a------ C:\WINDOWS\system32\drivers\UsbFi2K.sys
2008-05-25 12:42 . 2008-05-25 12:42 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-05-25 12:42 . 2008-05-25 12:42 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-25 12:42 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-25 12:42 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 22:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 22:21 --------- d-----w C:\Program Files\Java
2008-06-13 22:14 --------- d-----w C:\Documents and Settings\Jason\Application Data\Lavasoft
2008-05-25 17:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 01:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-03 22:45 --------- d-----w C:\Documents and Settings\Jason\Application Data\SolidWorks
2008-05-02 00:53 --------- d-----w C:\Documents and Settings\Jason\Application Data\U3
2008-05-01 03:34 --------- d-----w C:\Program Files\iTunes
2008-05-01 03:34 --------- d-----w C:\Program Files\iPod
2008-05-01 03:32 --------- d-----w C:\Program Files\QuickTime
2008-05-01 03:26 --------- d-----w C:\Program Files\Safari
2008-04-26 15:20 --------- d-----w C:\Program Files\Apple Software Update
2007-04-07 18:30 5,037,072 -c--a-w C:\Program Files\Spybot 1.4.exe
2006-04-06 05:15 88,576 ---ha-w C:\Documents and Settings\Jason\Application Data\rbap550.dll
2006-04-06 05:15 74,240 ---ha-w C:\Documents and Settings\Jason\Application Data\rbqt550.DLL
2006-04-06 05:15 59,392 ---ha-w C:\Documents and Settings\Jason\Application Data\MBSQTImporterPlugin8680.dll
2006-04-06 05:15 48,640 ---ha-w C:\Documents and Settings\Jason\Application Data\eSelleratePlugin.DLL
2006-04-06 05:15 44,032 ---ha-w C:\Documents and Settings\Jason\Application Data\MBSMainPlugin8841.dll
2006-04-06 05:15 38,912 ---ha-w C:\Documents and Settings\Jason\Application Data\RBShell550.dll
2006-04-06 05:15 35,840 ---ha-w C:\Documents and Settings\Jason\Application Data\MBSFolderitemsPlugin8606.dll
2006-04-06 05:15 29,184 ---ha-w C:\Documents and Settings\Jason\Application Data\RBInternetEncodings550.dll
2006-04-06 05:15 27,136 ---ha-w C:\Documents and Settings\Jason\Application Data\MBSMacTTPlugin8835.dll
2006-04-06 05:15 26,624 ---ha-w C:\Documents and Settings\Jason\Application Data\MBSRegistrationPlugin8816.dll
2005-05-26 19:35 1,422 ----a-w C:\Program Files\ReadMe.txt
2007-11-30 18:17 0 --sha-w C:\WINDOWS\ms.config`.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45426B22-DA3D-40C6-8DA2-8F81A36989C6}]
C:\WINDOWS\system32\vtUomkHa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CE6C453-39C6-4300-ADAB-645510D6934E}]
C:\WINDOWS\system32\nnnmkLDu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93630049-A6E2-4C88-8F61-DC8313F8CA09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D708B23A-8C56-442F-9FD7-6237FC253E46}]
C:\WINDOWS\boqnrwdmsvr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-18 16:24 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 18:24 684032]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 07:49 86100]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-21 00:11 26112]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Button Manager v1.836.lnk - C:\Program Files\INITIO\Button Manager v1.836\inihid.exe [2008-05-25 12:45:36 192512]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-28 21:09:44 24576]
TotalMedia Backup Monitor.lnk - C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-05-25 12:42:40 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkJyxYo]
jkkJyxYo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hnU53.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqW30.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S0 hnU53;hnU53;C:\WINDOWS\system32\Drivers\hnU53.sys []
S0 jqW30;jqW30;C:\WINDOWS\system32\Drivers\jqW30.sys []
S3 WCG200V2XP;Linksys WCG200 ver. 2 Wireless-G Cable Gateway;C:\WINDOWS\system32\DRIVERS\WCG200V2XP.sys [2004-07-06 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b9a6b26-0a79-11dd-8e45-0013cee8e6ea}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 01:38:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 19:03:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MATLAB6p1\bin\win32\matlab.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\SoftwareDistribution\Download\339908b7528b426712407aa3c98876a1\update\update.exe
.
**************************************************************************
.
Completion time: 2008-06-13 19:09:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 00:09:27

Pre-Run: 27,537,637,376 bytes free
Post-Run: 27,528,974,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

215 --- E O F --- 2008-06-02 02:47:09



Thank You,
tigerpolk

BC AdBot (Login to Remove)

 


m

#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:22 AM

Posted 13 June 2008 - 10:25 PM

Hello tigerpolk,

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I infected? What do I do? forum, explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff/TMacK
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users