Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winifixer Infection, Can Only Boot In Safe Mode


  • This topic is locked This topic is locked
16 replies to this topic

#1 Brad Landers

Brad Landers

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 30 June 2008 - 09:42 PM

EDIT: I can get in to regedit! Can't edit description though.

Boy, this is a bad one. I'm an IT professional, but far from a specialist in spyware removal. I do primarily server admin duty on Windows and Linux based systems. I started to have a look at this system, but quickly discovered that it was outside my normal scope.

* Cannot boot in normal mode
* DSS will not complete without crashing
* Cannot open control panel ("Restrictions" window appears)
* Cannot get online to run Kaspersky scan

There is/are:

* a WinIFixer icon on the desktop
* a green shield icon named "Security Troubleshooting"
* a blue shield labeled "Online Security Guide"
* a yellow triangle shaped alert icon in the system tray
* a flashing blue/red shield in the system tray
* a periodic systray notification bubble from the yellow triangle that starts with: "Windows antivirus" on new line "Windows has detected spyware infection!..."
* a periodic systray notification bubble from the shield that starts with: "System Alert!" on a new line "System has detected a number of active spyware applications..."
* A periodic modal dialog (yes/no) that starts with: "Windows Security Alert" in the title and "Warning! Potential Spyware Operation!..." in the message

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:05 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\shell.exe
C:\Documents and Settings\Gina\Application Data\U3\00001753A86057E2\LaunchPad.exe
C:\Program Files\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE} - C:\WINDOWS\system32\awtqnlIa.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: sgoblxtm - {1F8A048D-9A0B-4565-A3D0-2A2E6B44592A} - C:\WINDOWS\sgoblxtm.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1195429499\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [lirytgrm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lirytgrm.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Gina\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\system32\icasServ.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\wind32.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\system32\maxpaynowti1.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [SystemDrive] C:\WINDOWS\system32\maxpaynow1.exe
O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [msdefender.exe] C:\WINDOWS\system32\msdefender.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [5811e8ca] rundll32.exe "C:\WINDOWS\system32\xhihvccv.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Gina\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Wy3F45TTBS] C:\Documents and Settings\All Users\Application Data\ruxstevo\zajifgns.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IEX] C:\WINDOWS\Prefetch\IEX.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209084496.exe work (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{5811E865-0BB8-1033-0914-050820200001}] "C:\Program Files\Common Files\{5811E865-0BB8-1033-0914-050820200001}\Update.exe" mc-110-12-0000488 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{5811E865-0BB8-1033-0914-050820200001}] "C:\Program Files\Common Files\{5811E865-0BB8-1033-0914-050820200001}\Update.exe" mc-110-12-0000488 (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06101102...2ie06101001.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{216B95A4-2A53-4994-9DE8-BF131E7ED732}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{216B95A4-2A53-4994-9DE8-BF131E7ED732}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\..\{216B95A4-2A53-4994-9DE8-BF131E7ED732}: NameServer = 151.11.169.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: awtqnlIa - C:\WINDOWS\SYSTEM32\awtqnlIa.dll
O20 - Winlogon Notify: winnt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll
O20 - Winlogon Notify: wlctrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: KbdMon - {dbca73aa-0a54-4589-b63c-f311f58c4ba2} - C:\WINDOWS\Installer\{dbca73aa-0a54-4589-b63c-f311f58c4ba2}\KbdMon.dll
O21 - SSODL: ShhMtSz - {5811E866-F2BB-42CC-A445-6FAC759EF705} - C:\WINDOWS\system32\cbgp.dll
O21 - SSODL: dsktbwfe - {D18E75DA-3AFC-44C2-B734-CA4B4A97D75F} - C:\WINDOWS\dsktbwfe.dll
O21 - SSODL: ogxtsepr - {DF8F0FFF-68D0-4A0E-9E75-E140120C4671} - C:\WINDOWS\ogxtsepr.dll
O21 - SSODL: DriveKbd - {08971d4f-ee6c-4301-93fa-1e151e3893c1} - C:\WINDOWS\Resources\DriveKbd.dll
O21 - SSODL: zip - {1c164573-4b48-4988-ae8d-9c230e8bd676} - C:\WINDOWS\Installer\{1c164573-4b48-4988-ae8d-9c230e8bd676}\zip.dll
O21 - SSODL: AvpComponent - {95036ec9-0888-41da-a42a-893de729bed0} - C:\WINDOWS\Resources\AvpComponent.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - C:\WINDOWS\system32\rkvdr.dll
O23 - Service: Alerter AlerterTermService (alertertermservice) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\1E.tmp.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COM+ System Application COMSysAppNetman (comsysappnetman) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\21E.tmp.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: HP Status Server HPMSIServer (HPMSIServer) - Unknown owner - C:\WINDOWS\system32\acelpdeco.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Print Spooler SpoolerTrkWks (spoolertrkwks) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINDOWS\svslogon.exe (file missing)

--
End of file - 12944 bytes

Edited by Brad Landers, 30 June 2008 - 09:53 PM.


BC AdBot (Login to Remove)

 


#2 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 01 July 2008 - 11:14 AM

Hi and welcome to the forums. :thumbsup:
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. I belong to HJT Senior Classmen and everything that I post to you must be checked by
teachers of Bleeping Computer.
Please be patient. :)

#3 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 01 July 2008 - 11:43 AM

Hi Markka, thanks for your help :thumbsup:

#4 Markka

Markka

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 02 July 2008 - 08:00 AM

Hello :thumbsup:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

#5 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 02 July 2008 - 08:40 AM

I have contacted the owner of the PC to discuss how she would like to proceed. I'll post back as soon as I get an answer later today. Thanks.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 July 2008 - 10:10 AM

Hello, my name is fenzodahl512 and welcome to BC... Markka will be unavailable..


Please do the following.. :thumbsup:


Please download FixWareout by LonnyRJones and save it to your desktop.

Please doubleclick Fixwareout >> click Next, then Install, make sure Run fixit is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please let your firewall allow it.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt).




NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.
NEXT



Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.




Please post the following logs in your next reply... Please post each log in separate post...

1. FixWareout
2. SDFix
3. ComboFix
4. A fresh HijackThis log (after ComboFix step)



Regards
fenzodahl512

Edited by fenzodahl512, 03 July 2008 - 10:12 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 03 July 2008 - 04:48 PM

I tried to post these separately, but each time I "Add Reply", it automatically adds it to my previous post.

I was unable to run ComboFix. The computer will still only boot in to safe mode. If I attempt to boot normally, the computer just restarts, then gives the option to boot in to safe mode. I was able to run FixWareout and SDFix. I also ran another HJT log, so you can see what remains.

FixWareout report

Username "Gina" - 07/03/2008 15:59:12 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdolr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.172 85.255.112.142" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{216B95A4-2A53-4994-9DE8-BF131E7ED732}
"nameserver"="85.255.116.172,85.255.112.142" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{216B95A4-2A53-4994-9DE8-BF131E7ED732}
"DhcpNameServer"="85.255.116.172,85.255.112.142" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A497C30E-2AF5-4EC2-ACAD-249017A4FC5A}
"DhcpNameServer"="85.255.116.172,85.255.112.142" <Value cleared.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
C:\WINDOWS\desktop.html Deleted
C:\WINDOWS\xpupdate.exe Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdolr.ren 81920 08/04/2004


C:\Program Files\BraveSentry < Found
Additional tools are recommended.

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1195429499\\ee\\AOLSoftware.exe"
"webHancer Agent"="C:\\Program Files\\webHancer\\Programs\\whagent.exe"
"lirytgrm"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\lirytgrm.dll\""
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Gina\\cftmon.exe"
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\system32\\BluetoothAuthorizationAgent.exe"
"AntiVirusPro"="C:\\Program Files\\AntiVirusPro\\AntiVirusPro.exe"
"Printer"="C:\\WINDOWS\\system32\\printer.exe"
"icasServ"="C:\\WINDOWS\\system32\\icasServ.exe"
"System"="C:\\WINDOWS\\system32\\wind32.exe"
"jdgf894jrghoiiskd"="C:\\WINDOWS\\TEMP\\winlogan.exe"
"DriveSystem"="C:\\WINDOWS\\system32\\maxpaynowti1.exe"
"csrss"="C:\\WINDOWS\\system32\\wbem\\csrss.exe"
"antiviirus"="C:\\Program Files\\antiviirus.exe"
"SystemDrive"="C:\\WINDOWS\\system32\\maxpaynow1.exe"
"VirusHeat 4.3"="\"C:\\Program Files\\VirusHeat 4.3\\VirusHeat 4.3.exe\" /h"
"taskmon"="C:\\WINDOWS\\taskmon.exe"
"PromoReg"="C:\\WINDOWS\\system32\\alt.exe.exe"
"msdefender.exe"="C:\\WINDOWS\\system32\\msdefender.exe"
"runner1"="C:\\WINDOWS\\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A "
"ctfmona"="C:\\WINDOWS\\system32\\ctfmona.exe"
"WinIFixer"="C:\\Program Files\\WinIFixer\\WinIFixer.exe"
"5811e8ca"="rundll32.exe \"C:\\WINDOWS\\system32\\xhihvccv.dll\",b"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Spooler SubSystem App"="C:\\WINDOWS\\system32\\spooIsv.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="\"C:\\Program Files\\AOL 9.1\\AOL.EXE\" -b"
"Spoolsv"="C:\\WINDOWS\\system32\\spoolvs.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Gina\\cftmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



SDFix report


SDFix: Version 1.201
Run by Gina on Thu 07/03/2008 at 04:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver
ICF
ksnhtr
MSSysInterv1
tcpsr
zeqbqwp

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\svchost.exe:exe.exe
\??\C:\WINDOWS\system32\ksnhtr.sys
C:\WINDOWS\winself.exe service
\??\C:\WINDOWS\System32\drivers\tcpsr.sys
\??\C:\WINDOWS\zeqbqwp.sys

clbdriver - Deleted
ICF - Deleted
ksnhtr - Deleted
MSSysInterv1 - Deleted
tcpsr - Deleted
zeqbqwp - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Resetting SecurityProviders Value
Restoring Default Schedule Service Path
Resetting AppInit_DLLs value

HijackThis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:58 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1195429499\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [lirytgrm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lirytgrm.dll"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\system32\icasServ.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKLM\..\Run: [5811e8ca] rundll32.exe "C:\WINDOWS\system32\xhihvccv.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IEX] C:\WINDOWS\Prefetch\IEX.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209084496.exe work (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06101102...2ie06101001.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\..\{216B95A4-2A53-4994-9DE8-BF131E7ED732}: NameServer = 151.11.169.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ShhMtSz - {5811E866-F2BB-42CC-A445-6FAC759EF705} - C:\WINDOWS\system32\cbgp.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - C:\WINDOWS\system32\rkvdr.dll
O23 - Service: Alerter AlerterTermService (alertertermservice) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\1E.tmp.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COM+ System Application COMSysAppNetman (comsysappnetman) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\21E.tmp.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: HP Status Server HPMSIServer (HPMSIServer) - Unknown owner - C:\WINDOWS\system32\acelpdeco.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler SpoolerTrkWks (spoolertrkwks) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINDOWS\svslogon.exe (file missing)

--
End of file - 7665 bytes

Edited by Brad Landers, 03 July 2008 - 04:50 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 03 July 2008 - 08:29 PM

Please run ComboFix in Safe Mode and then post the log here... If ComboFix refuse to run, rename it to Combo-Fix and then run it..


Regards
fenzodahl512

Edited by fenzodahl512, 03 July 2008 - 08:31 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 July 2008 - 10:21 AM

Renaming ComboFix to Combo-Fix did the trick.

ComboFix 08-07-02.5 - Gina 2008-07-04 10:11:50.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.380 [GMT -4:00]
Running from: C:\Documents and Settings\Gina\Desktop\BleepingComputer\Combo-Fix.exe
.
ADS - svchost.exe: deleted 28160 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\9.tmp
C:\B.tmp
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Desktop\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Desktop\WinIFixer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Register.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinIFixer\WinIFixer.lnk
C:\Documents and Settings\Family\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Family\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\Family\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\Family\Application Data\Microsoft\Internet Explorer\Quick Launch\WinIFixer.lnk
C:\Documents and Settings\Family\Application Data\WinIFixer.com
C:\Documents and Settings\Family\Favorites\Online Security Test.url
C:\Documents and Settings\Family\Local Settings\Application Data\n.ini
C:\Documents and Settings\Family\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Family\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Family\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Family\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Family\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Guest\Application Data\wsnpoem
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\database.pkg
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\AntiVirusPro\WndSystem.dll
C:\Program Files\Common Files\{5811E~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\racle~1
C:\Program Files\racle~1\?racle\
C:\Program Files\racle~1\iexplore.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Program Files\WinIFixer
C:\Program Files\WinIFixer\database.dat
C:\Program Files\WinIFixer\MFC71.dll
C:\Program Files\WinIFixer\MFC71ENU.DLL
C:\Program Files\WinIFixer\msvcp71.dll
C:\Program Files\WinIFixer\msvcr71.dll
C:\Program Files\WinIFixer\Uninstall.exe
C:\Program Files\WinIFixer\WinIFixer.exe
C:\Program Files\WinIFixer\WinIFixer.exe.local
C:\Program Files\WinIFixer\WinIFixerSkin.dll
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\rundll.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\21264341241.dll
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dqpvhgem.dll
C:\WINDOWS\system32\drivers\asc3550p.sys
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\spools.exe
c:\windows\system32\Drivers\Usu22.sys
C:\WINDOWS\system32\epgned.bmp
C:\WINDOWS\system32\giqyqc.dll
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\kbedobql.bmp
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\ksnhtr.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJCSiGY.dll
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\pmnnOFUO.dll
C:\WINDOWS\system32\rkvdr.dll
C:\WINDOWS\system32\rqlcnapsn.bmp
C:\WINDOWS\system32\tcril.bmp
C:\WINDOWS\system32\vccvhihx.ini
C:\WINDOWS\system32\vccvhihx.ini2
C:\WINDOWS\system32\vccvhihx.tmp
C:\WINDOWS\system32\vFhOqBeg.ini
C:\WINDOWS\system32\vFhOqBeg.ini2
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xhihvccv.dll
C:\WINDOWS\wintst32.tmp
C:\WINDOWS\zeqbqwp.sys
C:\WINDOWS\system32\WinNt32.dll . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_usu22
-------\Service_Usu22
-------\Service_usu22


((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 16:24 . 2008-07-03 16:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-03 16:21 . 2008-07-04 10:13 <DIR> d-------- C:\SDFix
2008-07-03 15:58 . 2008-07-03 16:04 <DIR> d-------- C:\fixwareout
2008-06-30 22:10 . 2008-06-30 22:10 <DIR> d-------- C:\Deckard
2008-06-30 21:00 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-30 15:23 . 2008-06-30 15:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 15:22 . 2008-06-30 15:23 <DIR> d-------- C:\Documents and Settings\Gina\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 16:52 28,672 ----a-w C:\WINDOWS\system32\drivers\Xnf22.sys
2008-06-01 16:48 93,696 ----a-w C:\lmdwec.exe
2008-06-01 16:48 72,192 ----a-w C:\qkokqf.exe
2008-06-01 16:48 7,680 ----a-w C:\xhnyhfc.exe
2008-06-01 16:48 7,680 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-06-01 16:48 5,120 ----a-w C:\tkenc.exe
2008-06-01 16:48 44 ----a-w C:\p2hhr.bat
2008-06-01 16:48 14,848 ----a-w C:\vucuhrkr.exe
2008-06-01 16:48 105 ----a-w C:\prst.bat
2008-04-12 21:21 58,880 ----a-w C:\lilsesn.exe
2008-04-12 21:21 13,312 ----a-w C:\gjtxc.exe
2008-04-12 21:10 70,144 ----a-w C:\WINDOWS\lkhabovo.dll
2008-04-12 21:10 70,144 ----a-w C:\Documents and Settings\All Users\Application Data\lirytgrm.dll
2008-04-12 21:10 196,096 ----a-w C:\WINDOWS\qpujavwh.dll
2008-04-12 21:09 6,656 ----a-w C:\WINDOWS\trictions.dll
2008-03-27 03:42 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-27 21:27 273,943,351 ----a-w C:\Documents and Settings\Family\Gina.zip
2004-08-04 07:00 266,752 ----a-r C:\Documents and Settings\Guest\Application Data\ntos.exe
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


------- Sigcheck -------

md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-04 03:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 021415ad071ef3944c27dc9597ed2214 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 07:51 359808 021415ad071ef3944c27dc9597ed2214 C:\WINDOWS\system32\drivers\tcpip.sys

md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" [2007-10-27 13:44 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-05 23:45 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-05 23:41 118784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42 32768]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-16 17:58 26112]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 00:08 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"HostManager"="C:\Program Files\Common Files\AOL\1195429499\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"icasServ"="C:\WINDOWS\system32\icasServ.exe" [2006-04-13 17:20 13824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 19:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 15:36 14854144 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"IEX"="C:\WINDOWS\Prefetch\IEX.exe" [2006-08-02 21:39 19514]

C:\Documents and Settings\Family\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-04-12 17:09:47 178419]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 00:28:44 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ShhMtSz"= {5811E866-F2BB-42CC-A445-6FAC759EF705} - C:\WINDOWS\system32\cbgp.dll [2006-07-05 06:55 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\usu22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xnf22.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\1195429499\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 htg50;htg50;C:\WINDOWS\system32\drivers\htg50.sys [2008-04-12 17:22]
R0 xnf22;xnf22;C:\WINDOWS\system32\Drivers\Xnf22.sys [2008-06-01 12:52]
S2 alertertermservice;Alerter AlerterTermService;C:\DOCUME~1\Family\LOCALS~1\Temp\1E.tmp []
S2 comsysappnetman;COM+ System Application COMSysAppNetman;C:\DOCUME~1\Family\LOCALS~1\Temp\21E.tmp []
S2 HPMSIServer;HP Status Server HPMSIServer;C:\WINDOWS\system32\acelpdeco.exe [2008-04-12 17:20]
S2 spoolertrkwks;Print Spooler SpoolerTrkWks;C:\WINDOWS\system32\adsnwd.exe [2008-04-13 19:48]
S2 SVSLOG;Service Logon Protocol;"C:\WINDOWS\svslogon.exe" []
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\Program Files\Unlocker\UnlockerDriver4.sys [2005-04-24 05:08]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 12:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AntiVirusPro - C:\Program Files\AntiVirusPro\AntiVirusPro.exe
HKLM-Run-5811e8ca - C:\WINDOWS\system32\xhihvccv.dll
HKU-Default-Run-TClock.exe - C:\Program Files\TClock\tclock_install.exe
HKU-Default-Run-InetChk - C:\WINDOWS\TEMP\ms1209084496.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 10:48:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\Htg50.sys 167936 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alertertermservice]
"ImagePath"="C:\DOCUME~1\Family\LOCALS~1\Temp\1E.tmp srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\comsysappnetman]
"ImagePath"="C:\DOCUME~1\Family\LOCALS~1\Temp\21E.tmp srv"
.
Completion time: 2008-07-04 10:50:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 14:50:54

Pre-Run: 65,047,153,152 bytes free
Post-Run: 65,254,661,120 bytes free

277

#10 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 July 2008 - 10:24 AM

HijackThis report from after running ComboFix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:56 AM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1195429499\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\system32\icasServ.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [IEX] C:\WINDOWS\Prefetch\IEX.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IEX] C:\WINDOWS\Prefetch\IEX.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/move/06101102...2ie06101001.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS3\Services\Tcpip\..\{216B95A4-2A53-4994-9DE8-BF131E7ED732}: NameServer = 151.11.169.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ShhMtSz - {5811E866-F2BB-42CC-A445-6FAC759EF705} - C:\WINDOWS\system32\cbgp.dll
O23 - Service: Alerter AlerterTermService (alertertermservice) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\1E.tmp.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COM+ System Application COMSysAppNetman (comsysappnetman) - Unknown owner - C:\DOCUME~1\Family\LOCALS~1\Temp\21E.tmp.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: HP Status Server HPMSIServer (HPMSIServer) - Unknown owner - C:\WINDOWS\system32\acelpdeco.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler SpoolerTrkWks (spoolertrkwks) - Unknown owner - C:\WINDOWS\system32\adsnwd.exe
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINDOWS\svslogon.exe (file missing)

--
End of file - 6752 bytes

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 04 July 2008 - 04:22 PM

Please do all these steps in Normal Mode if possible..



Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\adsnwd.exe
      C:\WINDOWS\system32\acelpdeco.exe
      C:\Program Files\Bat\Bat.exe
  • Click on the submit button. You can only submit one file per round..
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.





NEXT


Please run FixWareout again. And then post the log here..



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
htg50
xnf22
alertertermservice
comsysappnetman
SVSLOG

File::
C:\Documents and Settings\user\Local Settings\Temp\1E.tmp
C:\Documents and Settings\user\Local Settings\Temp\21E.tmp
C:\WINDOWS\system32\drivers\htg50.sys
C:\WINDOWS\system32\Drivers\Xnf22.sys
C:\WINDOWS\svslogon.exe
C:\lmdwec.exe
C:\qkokqf.exe
C:\xhnyhfc.exe
C:\tkenc.exe
C:\p2hhr.bat
C:\vucuhrkr.exe
C:\prst.bat
C:\lilsesn.exe
C:\gjtxc.exe
C:\WINDOWS\lkhabovo.dll
C:\Documents and Settings\All Users\Application Data\lirytgrm.dll
C:\WINDOWS\qpujavwh.dll
C:\WINDOWS\trictions.dll
C:\Documents and Settings\Guest\Application Data\ntos.exe
C:\WINDOWS\system32\icasServ.exe
C:\WINDOWS\system32\cbgp.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"icasServ"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ShhMtSz"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\usu22.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xnf22.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alertertermservice]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\comsysappnetman]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply.. Post each log in separate post..
  • Jotti/VirusTotal results
  • FixWareout
  • Combofix
  • A new HijackThis log.



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 July 2008 - 11:43 PM

When attempting to boot in normal mode, I get a "PAGE FAULT IN NON PAGED AREA" blue screen. I can't visit websites in safe mode.

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 05 July 2008 - 12:35 AM

When attempting to boot in normal mode, I get a "PAGE FAULT IN NON PAGED AREA" blue screen. I can't visit websites in safe mode.



Ok.. boot in Safe Mode with Networking ONLY to do the Jotti step.. Once you got the result, Save it, then reboot in Safe Mode and do the rest..

Then, please post the log here..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Brad Landers

Brad Landers
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 July 2008 - 08:33 PM

Sorry it took me so long to post back. We had family in town this weekend. I get the same BSOD when booting to safe mode with networking.

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 07 July 2008 - 02:18 AM

Hello Brad Landers.. I have a news for you..

Looking at your logs and your problem, I was advised by an expert to suggest you to format your computer as it is not worth cleaning it.. You actually have more malware than legitimate files..

Should you decide to format it, please look at Markka post and follow his suggestion.. Should you stick with your desicion to fix it please let me know..


Quote from Markka

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users