Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Opening System Pop-ups


  • This topic is locked This topic is locked
1 reply to this topic

#1 hlatu

hlatu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 19 July 2008 - 04:51 PM

There is malware that is opening system pop-ups saying that Windows cannot open a certain file (no specific details available as to which file) due to windows not knowing who created the file. Also a disclaimer saying "Cannot run .dll file is missing". I ran combofix and this is the log:

ComboFix 08-07-18.5 - Ed 2008-07-19 14:59:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.440 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ed\ResErrors.log
C:\Program Files\Antispyware
C:\Program Files\Antispyware\Antispyware.exe
C:\Program Files\Antispyware\Difxapi.dll
C:\Program Files\Antispyware\FilterDrv\Antispyware.amd64.sys
C:\Program Files\Antispyware\FilterDrv\Antispyware.cat
C:\Program Files\Antispyware\FilterDrv\Antispyware.inf
C:\Program Files\Antispyware\FilterDrv\Antispyware.x86.sys
C:\Program Files\VirusRemover2008
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\AHNUvyay.ini
C:\WINDOWS\system32\AHNUvyay.ini2
C:\WINDOWS\system32\bsnzafqa.bin
C:\WINDOWS\system32\cetxqj.dll
C:\WINDOWS\system32\cfg.dat
C:\WINDOWS\system32\efcCvTlj.dll
C:\WINDOWS\system32\fwvsupdb.dll
C:\WINDOWS\system32\lvhxytos.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhtpokrn.ini
C:\WINDOWS\system32\moiskncn.dll
C:\WINDOWS\system32\njkegucb.ini
C:\WINDOWS\system32\ocpjfwyj.ini
C:\WINDOWS\system32\odbeifup.ini
C:\WINDOWS\system32\ojmswkcs.ini
C:\WINDOWS\system32\oskhdgaq.dll
C:\WINDOWS\system32\pvsxwuip.dll
C:\WINDOWS\system32\qagdhkso.ini
C:\WINDOWS\system32\scruffsu.dll
C:\WINDOWS\system32\sotyxhvl.ini
C:\WINDOWS\system32\uyjfrbiy.dll
C:\WINDOWS\system32\vodvpwlk.dll
C:\WINDOWS\system32\vwvvfz.dll
C:\WINDOWS\system32\ziapbc.dll
C:\WINDOWS\wbxdpgfeasv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 15:07 . 2008-07-19 15:07 84 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-07-19 15:00 . 2008-07-19 15:00 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-07-17 10:35 . 2008-07-17 19:45 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Antispyware
2008-07-16 19:23 . 2008-07-16 19:23 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Digital Support
2008-07-16 19:22 . 2008-07-16 19:23 <DIR> d-------- C:\Program Files\Digital Support
2008-07-16 17:26 . 2008-07-16 17:26 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\MSNInstaller
2008-07-16 00:13 . 2008-07-16 00:13 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-16 00:13 . 2008-07-16 00:26 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-07-16 00:11 . 2008-07-16 00:16 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-16 00:11 . 2008-07-16 00:16 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-16 00:11 . 2008-07-16 00:16 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-16 00:11 . 2008-07-16 00:16 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-15 23:56 . 2008-07-15 23:56 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-07-10 09:42 . 2008-07-16 17:18 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\TmpRecentIcons
2008-07-10 09:42 . 2008-07-10 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-07-10 09:42 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-09 18:10 . 2008-07-09 18:10 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-29 20:08 . 2008-06-29 20:08 <DIR> d-------- C:\videodvdmaker
2008-06-29 20:08 . 2008-06-29 20:08 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Video DVD Maker FREE
2008-06-28 22:49 . 2008-06-28 22:50 <DIR> d-------- C:\Program Files\sonicstage mastering studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 20:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 00:57 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-19 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-19 00:39 --------- d-----w C:\Documents and Settings\Ed\Application Data\OpenOffice.org2
2008-07-17 16:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-16 22:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-16 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-16 05:16 --------- d-----w C:\Program Files\Symantec
2008-07-12 13:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-12 13:24 --------- d-----w C:\Program Files\Sony
2008-07-10 14:58 --------- d-----w C:\Program Files\Google
2008-07-09 23:09 --------- d-----w C:\Program Files\Common Files\Real
2008-07-02 02:58 14,856 ----a-w C:\Documents and Settings\Ed\Application Data\wklnhst.dat
2008-06-29 03:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-29 03:49 --------- d-----w C:\Program Files\USB Disk Win98 Driver
2008-06-29 03:49 --------- d-----w C:\Program Files\RegCure
2008-06-21 18:53 --------- d-----w C:\Program Files\Texas Holdem
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2006-08-03 20:46 82,984 -c--a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\Ed\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 18:42:22 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-17 12:34:41 113664]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-02-03 21:10:15 1528880]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-11 10:00:33 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-28 08:51:54 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2006-12-23 14:46:29 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"DisableChangePassword"= 1 (0x1)
"ConnectHomeDirToRoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogoff"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Dell\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\Symantec Shared\\NPC\\npcLUStb.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 20:47]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 DCamUSBSTK016;STK016 Camera;C:\WINDOWS\system32\DRIVERS\STK016W2.sys [2003-10-04 00:08]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-07-09 18:05]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 01:53:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 05:26:08 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Ed.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-06-27 20:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-07-19 20:07:53 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-05 08:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-19 20:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0AF30069-0361-4D77-9C58-FDF9E277E1AD}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-awtsPFYO - awtsPFYO.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 15:09:01
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\USB Disk Win98 Driver\Res.exe
C:\Program Files\NetWaiting\netwaiting.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-07-19 16:21:59 - machine was rebooted [Ed]
ComboFix-quarantined-files.txt 2008-07-19 21:21:43

Pre-Run: 19,519,434,752 bytes free
Post-Run: 19,817,635,840 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

235 --- E O F --- 2008-06-30 13:31:41


Please evaluate the log and let me know what needs to be done to clean it up of malware. I'm running Windows XP Prof. Thank you!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:58 PM

Posted 19 July 2008 - 08:01 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users