Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Cant Remove Vertumonde/smitfraud-c.gp/pws.ldpinchie/zlob


  • This topic is locked This topic is locked
5 replies to this topic

#1 Infatr8

Infatr8

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 July 2008 - 04:17 AM

I think I may have got the zlob as it hasn't shown in a sweep for a while. I also ran the Vondufix and it seems to have fixed the verumonde. Something is also disabling Microsoft.WindowsSecurityCenter.RegistryTools the automatic updates and virus scan.

Deckard's System Scanner v20071014.68
Run by Bernie on 2008-07-26 02:37:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-26 08:37:08 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Bernie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:21 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Bernie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bernie.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: C:\WINDOWS\system32\kdfgj83ke.dll - {c5af49a2-94f3-42bd-f434-3604812c897d} - C:\WINDOWS\system32\kdfgj83ke.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201856778324
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201858220596
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0CC59D6-3F56-4E03-8176-697E38B5F3C6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\kdfgj83ke.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5847 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080725-210801-970 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 atitray - c:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys
R3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys <Not Verified; ; RadProbe>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 RadClock - c:\windows\system32\radclock.exe <Not Verified; ; RadClock Module>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 wampapache - "c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
S3 wampmysqld - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_10B9&DEV_5457&SUBSYS_8175104D&REV_00\3&61AAA01&0&18
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_10B9&DEV_5457&SUBSYS_8175104D&REV_00\3&61AAA01&0&18
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8175104D&REV_00\3&61AAA01&0&53
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8175104D&REV_00\3&61AAA01&0&53
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_8175104D&REV_04\3&61AAA01&0&62
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_8175104D&REV_04\3&61AAA01&0&62
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8175104D&REV_10\3&61AAA01&0&90
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8175104D&REV_10\3&61AAA01&0&90
Service: RTL8023xp


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 02:33:31 13312 --a------ C:\Documents and Settings\Bernie\cftmon.exe
2008-07-26 02:33:26 13312 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-07-26 01:19:35 0 d-------- C:\VundoFix Backups
2008-07-26 01:18:03 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-25 22:45:24 0 d-------- C:\Documents and Settings\Bernie\Application Data\TrojanHunter
2008-07-25 21:20:50 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-07-25 21:01:13 0 d-------- C:\Program Files\Trend Micro
2008-07-25 15:05:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 13:57:34 18944 --a------ C:\WINDOWS\system32\hombho.dll
2008-07-24 18:27:08 862648 --ahs---- C:\WINDOWS\system32\vFLklnmp.ini2
2008-07-24 15:50:28 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2008-07-24 15:47:00 0 dr------- C:\Documents and Settings\LocalService\My Documents <MYDOCU~1>
2008-07-24 15:46:56 0 dr------- C:\Documents and Settings\LocalService\Favorites <FAVORI~1>
2008-07-24 15:46:52 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-07-24 15:46:52 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-24 15:39:46 0 d-------- C:\Program Files\jZip
2008-07-24 15:11:57 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-24 15:03:09 212992 --a------ C:\win.dll
2008-07-24 15:02:27 36864 --a------ C:\win.exe
2008-07-24 14:57:05 10752 --a------ C:\WINDOWS\system32\msliksurdns.dll <Not Verified; ; testexe>
2008-07-24 14:57:05 33792 --a------ C:\WINDOWS\system32\msliksurcredo.dll <Not Verified; ; testexe>
2008-07-24 14:57:05 30720 --a------ C:\WINDOWS\system32\drivers\msliksurserv.sys <Not Verified; ; testexe>
2008-07-24 14:56:21 25088 --a------ C:\WINDOWS\system32\sla32.dll
2008-07-24 14:56:08 0 --a------ C:\d1.exe
2008-07-24 14:56:01 26624 --a------ C:\WINDOWS\system32\avira_ss.dll
2008-07-24 14:56:01 0 --a------ C:\d.exe
2008-07-24 14:55:54 61440 --a------ C:\WINDOWS\WIND.EXE
2008-07-24 14:55:50 2 --a------ C:\-535036740
2008-07-24 14:55:47 13312 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-07-24 14:55:45 10000 --a------ C:\WINDOWS\system32\kdfgj83ke.dll
2008-07-24 14:55:38 61440 --a------ C:\cuhv.exe
2008-07-24 14:55:30 13312 --a------ C:\xxdxsn.exe
2008-07-24 14:55:30 85050 --a------ C:\WINDOWS\system32\drivers\e59ec423.sys
2008-07-24 14:55:06 47 --a------ C:\Documents and Settings\Bernie\readme.bat
2008-07-24 14:55:06 8784 --a------ C:\Documents and Settings\Bernie\number.exe
2008-07-24 14:55:06 46080 --a------ C:\Documents and Settings\Bernie\keygen.exe
2008-07-22 01:47:34 0 d-------- C:\Program Files\DivX
2008-06-29 22:41:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-07-26 02:30:36 0 d-------- C:\Program Files\Java
2008-07-20 22:19:13 0 d-------- C:\Program Files\QuickTime
2008-07-17 16:09:19 0 d-------- C:\Program Files\Atheros
2008-06-27 13:58:00 0 d-------- C:\Documents and Settings\Bernie\Application Data\CoreFTP
2008-06-25 01:18:53 0 d-------- C:\Program Files\Starfield
2008-06-18 23:27:38 0 d-------- C:\Documents and Settings\Bernie\Application Data\IrfanView
2008-06-17 14:58:45 0 d-------- C:\Documents and Settings\Bernie\Application Data\Mozilla
2008-06-10 18:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-10 18:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-10 18:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-10 18:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-10 18:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-06-10 18:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-06-10 18:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-06-10 18:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-06-10 07:39:51 0 d-------- C:\Documents and Settings\Bernie\Application Data\Apple Computer
2008-06-08 01:36:47 0 d-------- C:\Program Files\IrfanView
2008-06-06 23:40:55 0 d-------- C:\Program Files\Common Files
2008-06-06 23:40:55 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-06 23:39:05 0 d-------- C:\Program Files\Rosetta Stone
2008-06-06 19:00:04 0 d-------- C:\Program Files\Alarian2
2008-06-06 05:09:24 0 d-------- C:\Documents and Settings\Bernie\Application Data\fretsonfire
2008-06-06 04:22:02 0 d-------- C:\Program Files\MSXML 6.0
2008-06-06 04:18:32 0 d-------- C:\Program Files\MobilityDotNET
2008-06-06 03:45:50 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-06 03:45:44 0 d-------- C:\Documents and Settings\Bernie\Application Data\SystemRequirementsLab
2008-06-06 03:42:43 0 d-------- C:\Program Files\ATI Technologies
2008-06-06 03:42:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-06 03:26:30 0 d-------- C:\Program Files\Unsigned
2008-06-05 03:33:45 102006 --a------ C:\WINDOWS\hpoins04.dat
2008-06-05 03:32:55 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-05 03:32:31 0 d-------- C:\Program Files\HP
2008-05-27 17:42:40 0 d-------- C:\Program Files\PHP Editor
2008-05-27 01:18:54 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-22 16:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-3604812c897d}]
07/24/2008 02:55 PM 10000 --a------ C:\WINDOWS\system32\kdfgj83ke.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [07/09/2008 06:54 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-3604812C897D}"= C:\WINDOWS\system32\kdfgj83ke.dll [07/24/2008 02:55 PM 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [08/30/2004 10:08 PM 200704]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtuvVPf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msliksurserv.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8910 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-26 02:41:24 ------------


edit--------------

I had to update my java but I got the Kaspersky scan to work and attached the file.

Attached Files


Edited by Infatr8, 26 July 2008 - 06:18 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:31 AM

Posted 26 July 2008 - 05:40 PM

Hello Infatr8 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Infatr8

Infatr8
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 July 2008 - 06:47 PM

Thank you for your help Thunder.

Here is the MBAM log.




Malwarebytes' Anti-Malware 1.23
Database version: 997
Windows 5.1.2600 Service Pack 2

1:34:50 AM 7/27/2008
mbam-log-7-27-2008 (01-34-50).txt

Scan type: Quick Scan
Objects scanned: 40932
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 6
Registry Data Items Infected: 8
Folders Infected: 4
Files Infected: 32

Memory Processes Infected:
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kdfgj83ke.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-3604812c897d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-3604812c897d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-3604812c897d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5bba03d0-78fe-43b5-8d23-81eb74934ce7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e5646f36-145e-4f1d-b6d1-87c5efc5ba1c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0cc59d6-3f56-4e03-8176-697e38b5f3c6}\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c0cc59d6-3f56-4e03-8176-697e38b5f3c6}\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c0cc59d6-3f56-4e03-8176-697e38b5f3c6}\NameServer (Trojan.DNSChanger) -> Data: 208.67.220.220,208.67.222.222 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Infected (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Suspicious (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Start Menu\Programs\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kdfgj83ke.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\WIND.EXE (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avira_ss.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hombho.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sla32.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\e59ec423.sys (Rootkit.Agent) -> Delete on reboot.
C:\cuhv.exe (Spyware.Banker) -> Quarantined and deleted successfully.
C:\win.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\xxdxsn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Local Settings\Temp\2D5D.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Local Settings\Temp\a.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\number.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Antispyware-2008.exe (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\vscan.tsi (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\zlib.dll (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Start Menu\Programs\Antispyware 2008\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\d1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe328cf8f.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMe328cf8f.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Desktop\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bernie\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.




I had an issue with the Combofix. I let the computer sit for over 10 hours waiting for it to finish the first time, and it never did. So I ran it again and here is the log.




ComboFix 08-07-26.1 - Bernie 2008-07-27 17:24:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -6:00]
Running from: C:\Documents and Settings\Bernie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Bernie\Application Data\macromedia\Flash Player\#SharedObjects\5KWJVBLZ\interclick.com
C:\Documents and Settings\Bernie\Application Data\macromedia\Flash Player\#SharedObjects\5KWJVBLZ\interclick.com\ud.sol
C:\Documents and Settings\Bernie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Bernie\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\vFLklnmp.ini
C:\WINDOWS\system32\vFLklnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 01:27 . 2008-07-27 01:27 <DIR> d-------- C:\Documents and Settings\Bernie\Application Data\Malwarebytes
2008-07-27 01:27 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 01:27 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 01:26 . 2008-07-27 01:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:26 . 2008-07-27 01:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 02:36 . 2008-07-26 02:36 <DIR> d-------- C:\Deckard
2008-07-26 01:19 . 2008-07-26 01:43 <DIR> d-------- C:\VundoFix Backups
2008-07-25 22:45 . 2008-07-25 22:45 <DIR> d-------- C:\Documents and Settings\Bernie\Application Data\TrojanHunter
2008-07-25 21:20 . 2008-07-27 02:07 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-07-25 21:01 . 2008-07-25 21:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 16:32 . 2008-07-25 23:54 311 --a------ C:\WINDOWS\wininit.ini
2008-07-25 15:05 . 2008-07-25 15:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 15:05 . 2008-07-25 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 15:39 . 2008-07-24 15:40 <DIR> d-------- C:\Program Files\jZip
2008-07-24 15:11 . 2008-07-24 15:12 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-24 14:55 . 2008-07-12 13:30 47 --a------ C:\Documents and Settings\Bernie\readme.bat
2008-07-24 14:55 . 2008-07-24 14:56 2 --a------ C:\-535036740
2008-07-22 01:47 . 2008-07-22 01:48 <DIR> d-------- C:\Program Files\DivX
2008-07-02 08:03 . 2008-07-02 08:03 591,296 --a------ C:\WebmailPlugin.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 08:30 --------- d-----w C:\Program Files\Java
2008-07-26 07:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rosetta Stone DEMO
2008-07-23 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-21 04:19 --------- d-----w C:\Program Files\QuickTime
2008-07-21 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-17 22:09 --------- d-----w C:\Program Files\Atheros
2008-07-10 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-27 19:58 --------- d-----w C:\Documents and Settings\Bernie\Application Data\CoreFTP
2008-06-25 07:18 --------- d-----w C:\Program Files\Starfield
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 05:27 --------- d-----w C:\Documents and Settings\Bernie\Application Data\IrfanView
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-11 00:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-06-10 13:39 --------- d-----w C:\Documents and Settings\Bernie\Application Data\Apple Computer
2008-06-08 07:36 --------- d-----w C:\Program Files\IrfanView
2008-06-07 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-07 05:40 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-07 05:39 --------- d-----w C:\Program Files\Rosetta Stone
2008-06-07 01:00 --------- d-----w C:\Program Files\Alarian2
2008-06-06 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-06 11:20 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-06 11:20 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-06-06 11:09 --------- d-----w C:\Documents and Settings\Bernie\Application Data\fretsonfire
2008-06-06 10:22 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-06 10:18 --------- d-----w C:\Program Files\MobilityDotNET
2008-06-06 09:45 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-06 09:45 --------- d-----w C:\Documents and Settings\Bernie\Application Data\SystemRequirementsLab
2008-06-06 09:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-06 09:42 --------- d-----w C:\Program Files\ATI Technologies
2008-06-06 09:26 --------- d-----w C:\Program Files\Unsigned
2008-06-05 09:32 --------- d-----w C:\Program Files\HP
2008-06-05 09:32 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-28 12:22 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-28 12:22 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-28 12:21 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-28 12:21 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-27 23:42 --------- d-----w C:\Program Files\PHP Editor
2008-05-27 07:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-22 14:12 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-22 14:12 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-22 14:12 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "C:\WINDOWS\system32\RadExe.dll" [2004-08-30 22:08 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"=

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 01:55]
S1 e59ec423;e59ec423;C:\WINDOWS\system32\drivers\e59ec423.sys []
S3 wampapache;wampapache;c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe [2008-01-18 01:37]
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld []
.
.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O18 -: Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - C:\Program Files\CoreFTP\pftpns.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 17:26:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-07-27 17:28:09
ComboFix-quarantined-files.txt 2008-07-27 23:27:59

Pre-Run: 63,188,144,128 bytes free
Post-Run: 63,176,331,264 bytes free

141 --- E O F --- 2008-07-13 23:58:07







Here is a new HijackThis log ran after everything else had completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:17 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201856778324
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201858220596
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4895 bytes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:31 AM

Posted 30 July 2008 - 03:33 AM

Looking good, Infatr8 :thumbsup:

Go to Start > Run, and copy and paste next command in the field:sc delete e59ec423 and click OK/Enter
Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Infatr8

Infatr8
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 30 July 2008 - 07:09 AM

Thanks for all of your help Thunder.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:31 AM

Posted 30 July 2008 - 04:32 PM

Glad we could help, Infatr8 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users