Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have I Got A Virus Or Spyware


  • Please log in to reply
15 replies to this topic

#1 maxHyper

maxHyper

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 18 June 2008 - 01:27 AM

Hi

When itnernet explorer opens multiple tabs open as well as no being able to set the home page, i can see no indication as to what infection it is, please find below hjt logs.

Edited: The description has changed, now i.e.7 opens and immediately wants to shut down.

Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:05:09, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Administrator\My Documents\jre-6u6-windows-i586-p-s.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/ConnectComputer/nshelp.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Symantec Corporation - C:\TEMP\Clt-Inst\vpremote.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5066 bytes

Edited by maxHyper, 18 June 2008 - 08:08 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2008 - 06:38 AM

Hi and Welcome to the forums.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 19 June 2008 - 07:59 AM

Hi

Thanks for your reply please find below hijackthis logs and attached combo logs. Thank you!!!!

Jason

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:45, on 19/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/ConnectComputer/nshelp.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Symantec Corporation - C:\TEMP\Clt-Inst\vpremote.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4375 bytes

Attached Files



#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2008 - 12:37 PM

Errrr....gotta bugger that dont wanna budge,lets try another tool for this.

Use the link below to download,install and run SDFix in Safe Mode.
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Once its completed,post that log please,after posting that log,scan fresh with ComboFix and post its reulting log into a seperate post please.

#5 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 20 June 2008 - 01:10 PM

Hi

Please find below sdfix log, running combofix now


SDFix: Version 1.195
Run by Administrator on 20/06/2008 at 18:55

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\230.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ntos.exe - Deleted
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 19:05:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Disabled:Microsoft Office Outlook"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\MSACCESS.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\MSACCESS.EXE:*:Enabled:Microsoft Office Access"
"C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE:*:Enabled:Microsoft Office Excel"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:VNC Server Free Edition for Win32"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 30 Jun 2007 246,597 A..H. --- "C:\WINDOWS\PE_LOG.TXT.BAK"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0089cd1ec7c03d0a52caa6b6ea801507\BIT3.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT6.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT4.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT8.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT7.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT9.tmp"
Mon 17 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT5.tmp"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT8.tmp"
Mon 16 Jun 2008 65,536 A..H. --- "C:\Documents and Settings\Administrator.OCEANTRAILERS.000\Local Settings\Application Data\Microsoft\Outlook\~outlook.ost.tmp"

Finished!

#6 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 20 June 2008 - 01:15 PM

Combo Fix Log

ComboFix 08-06-16.5 - Administrator 2008-06-20 19:11:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.601 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 18:48 . 2008-06-20 18:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-20 18:43 . 2008-06-20 19:06 <DIR> d-------- C:\SDFix
2008-06-18 14:04 . 2008-06-18 14:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 13:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-18 13:50 . 2008-06-18 13:51 <DIR> d-------- C:\Program Files\Java
2008-06-18 13:50 . 2008-06-18 13:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-18 11:47 . 2008-06-18 11:47 0 --a------ C:\WINDOWS\VPC32.INI
2008-06-16 12:40 . 2008-06-16 12:40 <DIR> d-------- C:\Documents and Settings\TLopeman_older
2008-06-16 11:01 . 2008-04-23 05:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-16 11:01 . 2007-04-17 10:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 11:01 . 2007-03-08 06:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 11:01 . 2008-04-23 05:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-16 11:01 . 2008-04-23 05:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-16 11:01 . 2008-04-23 05:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-16 11:01 . 2008-04-23 05:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-16 11:01 . 2008-04-23 05:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-16 11:01 . 2008-04-22 08:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-16 10:47 . 2008-06-16 10:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 10:46 . 2008-04-14 05:42 294,912 --------- C:\WINDOWS\system32\dllcache\dlimport.exe
2008-06-16 10:42 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003156_.tmp
2008-06-16 08:26 . 2008-06-16 08:26 <DIR> d-------- C:\8da4821dc93e4cbaff79b8c38694
2008-06-16 08:17 . 2008-06-16 08:17 <DIR> d---s---- C:\Documents and Settings\Administrator.OCEANTRAILERS.000\UserData
2008-06-11 09:57 . 2008-06-11 09:57 <DIR> d-------- C:\5700
2008-06-11 09:36 . 2008-06-11 09:37 <DIR> d-------- C:\TEMP\FixEngine
2008-06-11 08:58 . 2008-04-14 13:30 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:58 . 2008-04-14 13:30 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 08:58 . 2008-05-08 15:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-20 12:57 . 2008-05-20 12:57 <DIR> d---s---- C:\Documents and Settings\TLopeman\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 11:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-16 11:12 --------- d-----w C:\Program Files\Microsoft Works
2008-05-19 12:41 --------- d-----w C:\Documents and Settings\TLopeman\Application Data\AdobeUM
2008-05-19 10:03 --------- d-----w C:\Program Files\HP
2008-05-19 09:49 --------- d-----w C:\Documents and Settings\TLopeman\Application Data\Windows Desktop Search
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 04:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 04:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\system32\dllcache\drmclien.dll
2008-04-14 04:43 2,109,440 ----a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 23:54 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 23:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 23:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 23:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 23:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 23:01 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 23:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 22:45 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 22:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 22:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 22:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 22:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 22:07 208,384 ----a-w C:\WINDOWS\system32\dllcache\rsaenh.dll
2008-04-13 22:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 21:58 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 21:58 2,940,928 ----a-w C:\WINDOWS\system32\dllcache\wmploc.dll
2008-04-13 21:57 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 21:57 79,872 ------w C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-04-13 21:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 21:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 21:53 8,192 ----a-w C:\WINDOWS\system32\dllcache\asferror.dll
2008-04-13 21:53 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 21:53 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 21:53 168,448 ----a-w C:\WINDOWS\system32\dllcache\wmerror.dll
2008-04-13 21:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 21:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 21:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 21:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 21:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 21:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 20:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 20:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 20:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-19_13.51.06.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 12:41:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 18:02:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 10:55:10 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-20 17:49:11 1,007,616 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-20 17:49:11 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-20 10:55:10 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-20 17:49:01 1,007,616 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-20 17:49:02 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-06-19 12:41:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-20 17:48:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-19 12:41:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-20 17:48:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-19 12:41:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-20 17:48:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 04:42:02 413,696 ----a-w C:\WINDOWS\system32\dllcache\msvcp60.dll
+ 2008-04-14 04:42:10 578,560 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
+ 2008-04-14 04:42:10 18,944 ----a-w C:\WINDOWS\system32\dllcache\wbemprox.dll
+ 2008-04-14 04:42:10 95,232 ----a-w C:\WINDOWS\system32\dllcache\wmiutils.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 09:34 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 09:34 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 09:33 131072]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 13:54 16248320 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 VPREMOTE;VPRemote Install Bootstrap Service;C:\TEMP\Clt-Inst\vpremote.exe [2002-07-30 09:34]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 19:12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-06-20 19:13:30
ComboFix-quarantined-files.txt 2008-06-20 18:13:27
ComboFix2.txt 2008-06-19 12:52:26

Pre-Run: 67,452,743,680 bytes free
Post-Run: 67,426,750,464 bytes free

179 --- E O F --- 2008-06-16 10:55:19

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2008 - 09:52 AM

Before we can much further,I want to be sure you have a means to reinstall your Symantec product if its needed?

Reason Im asking is this machine has whats call the Master Boot Record Rootkit and when we fix it,its possible that one or more symantec products will not function properly and will possibly need reinstalling.

Let me know,please.

#8 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 22 June 2008 - 04:29 PM

yes i can re-install, or i may install avast!

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 June 2008 - 04:44 AM

Sounds like a plan to me...download Gmer from Here

Fully unzip the archive then double click on gmer.exe to launch the application.

As soon as its loaded up,you gonna see the gmer screen fill with some text,at the top,you will see text in red font,right click only that and select "Restore" and follow the prompts.

Reboot the machine and run gmer one more time,let it load up and this time,you should see some text but not the red text.

Now,right click inside gmer window and select "Only non MS files" and then click scan,its not a real long scan.

Once completed,click "Save" and save the results somewhere convienient,then post those results back here,possibly attach the log to the post if its real large.

#10 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 24 June 2008 - 10:49 AM

Hi

As requested please find attached gmer logs

Jason

Attached Files

  • Attached File  gmer.log   232.98KB   9 downloads


#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 02:19 AM

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


#12 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 26 June 2008 - 04:09 AM

DrWeb Report below

ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Probably SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
vncviewer.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin.51;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0000068.EXE;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP2;Program.PsExec.170;;
A0000094.bat;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP2;Probably SCRIPT.Virus;;
A0000193.bat;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP2;Probably SCRIPT.Virus;;
A0000236.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP4\A0000236.exe;Probably SCRIPT.Virus;;
A0000236.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP4\A0000236.exe;Program.PsExec.171;;
A0000236.exe;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP4;Archive contains infected objects;Moved.;
A0000237.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP4\A0000237.exe;Tool.Prockill;;
A0000237.exe;C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP4;Archive contains infected objects;Moved.;

Edited by maxHyper, 26 June 2008 - 04:10 AM.


#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 June 2008 - 04:16 AM

OK,now we are looking better,you mentioned installing another AV,I have been tinkering with the trial pro version of Avast Pro and I must say,Im impressed with its overall performance,so I think you have a good idea if thats still your plan.

If indeed it is,go ahead with that process and uninstall Symantec\Norton and Install the new AV.

When it ask you to schedule a boot time scan,answer yes but when it ask you to restart,choose to restart later,then access avast through start--all programs and get it fully updated,then restart and let it run the scan.

I choose Option 6 which is to move all deteted files to the chest,just in case there is a false positive.

The scan could take a while,so be prepared,once its all completed and your happy with the install,post back and let me know and we shall finish cleaning the machine.

#14 maxHyper

maxHyper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 26 June 2008 - 06:29 AM

all done, install avast pro, carried out virus scan all ok

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 June 2008 - 02:48 PM

Click Start--> Run--> Type in combofix /u and click OK to uninstall ComboFix.

Type in cd\ and click OK


Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
Take the time to look through Add\Remove Programs and get rid of anything you dont use and are sure you can live without and keep all current applications up to date and fully patched.

Secunia has a good check for such things
http://secunia.com/software_inspector/


So,How is the PC running today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users