Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound.exploit.6


  • This topic is locked This topic is locked
69 replies to this topic

#1 BigDaddyV

BigDaddyV

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 August 2008 - 01:03 AM



Hey there, I'm usually good while surfing (and ain't a new-:) but a fake flash player undate popup got me and now I'm infected... so Can U Help. My Desktop has been switched, file security option removed, restricted sites altered and a lot more.
I've downloaded and run HiJackThis and below is the log result


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:37 AM, on 7/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\lphc3w7j0epfe.exe
C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\msserv.exe
C:\WINDOWS\iexplorer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Program Files\X1\X1.exe
D:\program files\x1\X1Systray.exe
D:\Program Files\X1\X1Service.exe
D:\Program Files\X1\textExtractor.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\drivers\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [lphc3w7j0epfe] C:\WINDOWS\System32\lphc3w7j0epfe.exe
O4 - HKLM\..\Run: [SMrhc7w7j0epfe] C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdzpg.exe] C:\WINDOWS\system32\kdzpg.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [1cfccd5f] rundll32.exe "C:\WINDOWS\System32\qopmfisn.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.keepandshare.com/imageuploader4...geUploader4.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 7293 bytes


How bad is it doc.... :thumbsup:

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 10 August 2008 - 08:17 AM

Hi BigDaddyV

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 August 2008 - 09:35 AM

Well Shaba,
I disconnected the PC from the net as soon as i noticed the take-over (which was 2 week ago). I have a router and good firewalls in place so I'm willing to try to clean the system b4 a complete format and reinstall.
Funny that my local McAfee vscan didn't detect it, but i haven't updated the dat files in a few months... my bad

Let's try to clean the system please.... I'm willing and understand the risks.

Let's get'em

TNX

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 10 August 2008 - 09:37 AM

Then this is the first step:

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2 and SP3)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 August 2008 - 09:52 AM

Will i have to connect the infected PC to the Net to complete the Windows updates? Cause i was trying to avoid going online again untill it's cleaned.
Do you have a link to the ntwk administrator updates, these should alow me to download the updates to a clean PC, transfer them over to the infected PC (VIA USB KEY), then run them without requiring net access.

?

#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 10 August 2008 - 09:55 AM

Well I gave you link for SP1a. You can download it via another computer and transfer via USB stick. Other updates can wait as SP1 is the most crucial one; without it bots will come back even if we remove them.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#7 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 August 2008 - 11:50 PM

OK, I ran SP1A as much as possible, reboot and ran HJT again. Now the log that is created by HJT (txt file) is getting deleted by McAfee when i attempt to transfer the file to my clean PC for upload. I had to play tricks just to upload the log to you... but here it is.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:10 AM, on 8/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\HijackThis\HijackThis.exe
D:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Program Files\Network Associates\VirusScan\scan32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [lphc3w7j0epfe] C:\WINDOWS\System32\lphc3w7j0epfe.exe
O4 - HKLM\..\Run: [SMrhc7w7j0epfe] C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdzpg.exe] C:\WINDOWS\system32\kdzpg.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [1cfccd5f] rundll32.exe "C:\WINDOWS\System32\qopmfisn.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.keepandshare.com/imageuploader4...geUploader4.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 6345 bytes

#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 11 August 2008 - 06:27 AM

SP1a isn't installed as can be seen from log:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Please try again :thumbsup:
Microsoft MVP Consumer Security
Posted Image

Posted Image

#9 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 August 2008 - 07:18 AM

The update attempts to connect to the internet and so i've stoped there. (see attachment)
U want me to connect and complete the update even though i'm still infected?

Attached Files



#10 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 11 August 2008 - 07:19 AM

Yes, connect to internet during SP1a installation and disconnect after that again, please.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#11 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 August 2008 - 09:36 AM

OK Done, new HJT log below....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:13 AM, on 8/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\msserv.exe
D:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB
Software\cpqek.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\Musicmatch\Musicmatch
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program
Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program
Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program
Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program
Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD
Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [lphc3w7j0epfe] C:\WINDOWS\System32\lphc3w7j0epfe.exe
O4 - HKLM\..\Run: [SMrhc7w7j0epfe] C:\Program
Files\rhc7w7j0epfe\rhc7w7j0epfe.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdzpg.exe]
C:\WINDOWS\system32\kdzpg.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe
61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [1cfccd5f] rundll32.exe
"C:\WINDOWS\System32\bqltymfp.dll",b
O4 - HKLM\..\Run: [BM1fcffec3] Rundll32.exe
"C:\WINDOWS\System32\fqrloldf.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\iexplorer.exe --system
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Program
Files\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program
Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} -
ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xp
reload.ocx
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control)
- http://www.keepandshare.com/imageuploader4...geUploader4.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager
(brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries
Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner -
C:\WINDOWS\CDProxyServ.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. -
C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates,
Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - D:\Program Files\Network
Associates\VirusScan\VsTskMgr.exe

--
End of file - 7433 bytes

#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 11 August 2008 - 09:37 AM

We will start with this:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security
Posted Image

Posted Image

#13 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 August 2008 - 10:27 AM

Completed successfully... here R the new logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:42 AM, on 8/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Microsoft Office\Office10\msoffice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdzpg.exe] C:\WINDOWS\system32\kdzpg.exe
O4 - HKLM\..\Run: [1cfccd5f] rundll32.exe "C:\WINDOWS\System32\bqltymfp.dll",b
O4 - HKLM\..\Run: [BM1fcffec3] Rundll32.exe "C:\WINDOWS\System32\fqrloldf.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.keepandshare.com/imageuploader4...geUploader4.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 6622 bytes



-------------------------------------------------------------------------------------------------------------------


SDFix: Version 1.215
Run by Vinton on Mon 08/11/2008 at 11:05 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value

Rebooting

Service Hor56 - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lphc3w7j0epfe.exe - Deleted
C:\Program Files\rhc7w7j0epfe\database.dat - Deleted
C:\Program Files\rhc7w7j0epfe\license.txt - Deleted
C:\Program Files\rhc7w7j0epfe\MFC71.dll - Deleted
C:\Program Files\rhc7w7j0epfe\MFC71ENU.DLL - Deleted
C:\Program Files\rhc7w7j0epfe\msvcp71.dll - Deleted
C:\Program Files\rhc7w7j0epfe\msvcr71.dll - Deleted
C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe - Deleted
C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfe.exe.local - Deleted
C:\Program Files\rhc7w7j0epfe\rhc7w7j0epfeSkin.dll - Deleted
C:\Program Files\rhc7w7j0epfe\Uninstall.exe - Deleted
C:\WINDOWS\system32\geBtQKbb.dll - Deleted
C:\WINDOWS\SYSTEM32\PHC3W7~1.BMP - Deleted
C:\WINDOWS\system32\kdzpg.exe - Deleted
C:\WINDOWS\system32\blphc3w7j0epfe.scr - Deleted
C:\WINDOWS\system32\drivers\Hor56.sys - Deleted



Folder C:\Program Files\rhc7w7j0epfe - Removed
Folder C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 11:14:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 3 Jan 2008 48 ..SH. --- "C:\WINDOWS\S960D9636.tmp"
Wed 9 Jul 2008 41,723 ..SH. --- "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
Tue 29 Nov 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Sun 18 Jul 2004 6,838 A..H. --- "C:\Documents and Settings\Lisa\Local Settings\Temp\Off93.tmp"
Tue 20 Jul 2004 6,838 A..H. --- "C:\Documents and Settings\Vinton\Local Settings\Temp\Off1.tmp"
Tue 20 Jul 2004 6,838 A..H. --- "C:\Documents and Settings\Vinton\Local Settings\Temp\Off2.tmp"
Tue 14 Dec 2004 9,238 A..H. --- "C:\Documents and Settings\Vinton\Local Settings\Temp\Off3.tmp"
Wed 2 Jul 2008 31,744 ...H. --- "C:\Documents and Settings\Vinton\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 8 Sep 2004 0 ...H. --- "C:\Documents and Settings\Vinton\Application Data\Microsoft\Word\~WRL0928.tmp"
Sun 6 Feb 2005 0 ...H. --- "C:\Documents and Settings\Vinton\Application Data\Microsoft\Word\~WRL3891.tmp"
Sun 6 Feb 2005 0 ...H. --- "C:\Documents and Settings\Vinton\Application Data\Microsoft\Word\~WRL4061.tmp"
Wed 9 Jul 2008 7,798 A..H. --- "C:\Documents and Settings\Lisa\Application Data\Microsoft\Office\Shortcut Bar\Off93.tmp"
Mon 11 Aug 2008 10,198 A..H. --- "C:\Documents and Settings\Vinton\Application Data\Microsoft\Office\Shortcut Bar\Off3.tmp"

Finished!

#14 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:37 AM

Posted 11 August 2008 - 10:37 AM

Looks better :thumbsup:

Rename HijackThis.exe to BigDaddyV.exe.

After that:

We will use next ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#15 BigDaddyV

BigDaddyV
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 11 August 2008 - 03:02 PM

Shaba, things are running better, but still don't have access to security tab on files and folders, still can't copy a file from the infected PC to another withou McAfee finding Bloodhound.exploit.6.

Desktop wall paper is back though... thanks I needed that.

Getting two errors during startup
1 - RUNDLL - Error loading C:\Windows\System32\bqltymfp.dll
2 - RUNDLL - Error loading C:\Windows\System32\fqrloldf.dll

Here are the latest logs...




ComboFix 08-08-10.05 - Vinton 2008-08-11 14:56:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.41 [GMT -4:00]
Running from: C:\Documents and Settings\Vinton\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vinton\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\Vinton\Local Settings\Temporary Internet Files\zap14.tmp
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\BM1fcffec3.txt
C:\WINDOWS\BM1fcffec3.xml
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\msserv.config
C:\WINDOWS\msserv.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aWOggFuU.dll
C:\WINDOWS\system32\back.exe.exe
C:\WINDOWS\system32\bqltymfp.dll
C:\WINDOWS\system32\bsnped.dll
C:\WINDOWS\system32\byXRhFXO.dll
C:\WINDOWS\system32\cbXNEuUM.dll
C:\WINDOWS\system32\ddcCvsro.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\fqrloldf.dll
C:\WINDOWS\system32\geBsstUN.dll
C:\WINDOWS\system32\hgGwTKDw.dll
C:\WINDOWS\system32\iifCVmml.dll
C:\WINDOWS\system32\jglykfbf.dll
C:\WINDOWS\system32\kb9253228.exe
C:\WINDOWS\system32\kb9253289.exe
C:\WINDOWS\system32\ljJBQGAS.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nsifmpoq.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfmytlqb.ini
C:\WINDOWS\system32\qopmfisn.dll
C:\WINDOWS\system32\SAGQBJjl.ini
C:\WINDOWS\system32\SAGQBJjl.ini2
C:\WINDOWS\system32\shffhpts.ini
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tuvVNHaY.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\yayxxXND.dll
C:\WINDOWS\wiaservb.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MICROSOFT_INT_SERVICE
-------\Service_Microsoft Int Service


((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 11:03 . 2008-08-11 11:03 560,128 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-11 11:01 . 2008-08-11 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-11 10:59 . 2008-08-11 11:17 <DIR> d-------- C:\SDFix
2008-08-11 09:42 . 2008-08-11 09:42 2,048 --a------ C:\WINDOWS\system32\kaynecvl.exe
2008-08-11 09:34 . 2008-08-11 09:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-11 09:34 . 2008-08-11 09:34 <DIR> d-------- C:\WINDOWS\ehome
2008-08-11 09:12 . 2002-08-29 06:41 599,040 --a------ C:\WINDOWS\system32\wininet.dll
2008-08-11 09:12 . 2002-08-29 06:41 266,752 --a------ C:\WINDOWS\winhlp32.exe
2008-08-11 09:12 . 2002-08-29 06:41 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2008-08-11 09:12 . 2002-08-29 06:41 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2008-08-11 09:12 . 2002-08-29 06:39 89,600 --a------ C:\WINDOWS\system32\wmidx.ocx
2008-08-11 09:12 . 2002-08-29 06:41 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2008-08-11 09:12 . 2002-08-29 06:39 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2008-08-11 09:12 . 2002-08-29 06:41 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2008-08-11 09:09 . 2002-08-29 06:41 674,816 --a------ C:\WINDOWS\system32\sxs.dll
2008-08-11 09:09 . 2002-08-29 06:41 233,984 --a------ C:\WINDOWS\system32\tapisrv.dll
2008-08-11 09:09 . 2002-08-29 06:39 205,312 --a------ C:\WINDOWS\system32\sysmon.ocx
2008-08-11 09:09 . 2002-08-29 06:41 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2008-08-11 09:09 . 2002-08-29 06:41 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2008-08-11 09:09 . 2002-08-29 06:41 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2008-08-11 09:09 . 2002-08-29 06:41 71,168 --a------ C:\WINDOWS\system32\telnet.exe
2008-08-11 09:06 . 2002-08-29 06:41 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2008-08-11 09:05 . 2002-08-29 06:41 1,349,120 --a------ C:\WINDOWS\system32\query.dll
2008-08-11 09:04 . 2002-08-29 06:41 3,494,303 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-11 09:03 . 2002-08-29 06:41 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2008-08-11 09:03 . 2002-08-29 06:41 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2008-08-11 09:03 . 2002-08-29 06:41 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2008-08-11 09:03 . 2002-08-29 06:41 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2008-08-11 09:03 . 2002-08-29 06:41 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2008-08-11 09:01 . 2002-08-29 06:41 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2008-08-11 09:00 . 2002-08-29 06:41 1,122,304 --a------ C:\WINDOWS\system32\msxml3.dll
2008-08-11 08:59 . 2002-08-29 06:41 552,991 --a------ C:\WINDOWS\system32\msrepl40.dll
2008-08-11 08:59 . 2002-08-29 06:41 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2008-08-11 08:59 . 2002-08-29 06:41 348,191 --a------ C:\WINDOWS\system32\mspbde40.dll
2008-08-11 08:59 . 2002-08-29 06:41 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2008-08-11 08:59 . 2002-08-29 06:41 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2008-08-11 08:59 . 2002-08-29 06:41 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2008-08-11 08:59 . 2002-08-29 06:41 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2008-08-11 08:59 . 2002-08-29 06:41 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2008-08-11 08:59 . 2002-08-29 06:41 69,632 --a------ C:\WINDOWS\system32\msscds32.ax
2008-08-11 08:59 . 2002-08-29 06:41 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2008-08-11 08:58 . 2002-08-29 06:41 1,503,262 --a------ C:\WINDOWS\system32\msjet40.dll
2008-08-11 08:58 . 2002-08-29 06:41 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2008-08-11 08:58 . 2002-08-29 06:41 348,195 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2008-08-11 08:58 . 2002-08-29 06:41 241,695 --a------ C:\WINDOWS\system32\msjtes40.dll
2008-08-11 08:58 . 2002-08-29 06:41 229,888 --a------ C:\WINDOWS\system32\msieftp.dll
2008-08-11 08:58 . 2002-08-29 06:41 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2008-08-11 08:58 . 2002-08-29 06:41 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2008-08-11 08:58 . 2002-08-29 06:41 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2008-08-11 08:58 . 2002-08-29 06:41 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2008-08-11 08:56 . 2002-08-29 06:41 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2008-08-11 08:55 . 2002-08-29 06:41 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2008-08-11 08:55 . 2002-08-29 06:41 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2008-08-11 08:55 . 2002-08-29 06:41 219,648 --a------ C:\WINDOWS\system32\logon.scr
2008-08-11 08:55 . 2002-08-29 06:41 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2008-08-11 08:55 . 2002-08-29 06:41 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2008-08-11 08:55 . 2002-08-29 06:41 10,240 --a------ C:\WINDOWS\system32\localui.dll
2008-08-11 08:51 . 2002-08-29 06:39 290,816 --a------ C:\WINDOWS\system32\l3codeca.acm
2008-08-11 08:51 . 2002-08-29 06:41 272,896 --a------ C:\WINDOWS\system32\kerberos.dll
2008-08-11 08:51 . 2002-08-29 06:40 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2008-08-11 08:51 . 2002-08-29 06:40 122,368 --a------ C:\WINDOWS\system32\itss.dll
2008-08-11 08:51 . 2002-08-29 06:40 91,648 --a------ C:\WINDOWS\system32\iuctl.dll
2008-08-11 08:51 . 2002-08-29 06:41 65,536 --a------ C:\WINDOWS\system32\joy.cpl
2008-08-11 08:51 . 2002-08-29 06:40 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2008-08-11 08:51 . 2002-08-29 00:23 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2008-08-11 08:51 . 2002-08-29 04:05 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2008-08-11 08:49 . 2002-08-29 06:41 613,888 --a------ C:\WINDOWS\system32\mqqm.dll
2008-08-11 08:48 . 2002-04-22 21:18 766,934 --a------ C:\WINDOWS\system32\instcat.sql
2008-08-11 08:47 . 2002-08-29 06:40 559,616 --a------ C:\WINDOWS\system32\fxsst.dll
2008-08-11 08:46 . 2002-08-29 06:40 380,445 --a------ C:\WINDOWS\system32\expsrv.dll
2008-08-11 08:46 . 2002-08-29 06:40 82,432 --a------ C:\WINDOWS\system32\fldrclnr.dll
2008-08-11 08:46 . 2002-08-29 06:40 66,560 --a------ C:\WINDOWS\system32\faultrep.dll
2008-08-11 08:46 . 2002-08-29 06:41 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2008-08-11 08:46 . 2002-06-14 21:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-08-11 08:44 . 2002-08-29 06:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-08-11 08:44 . 2002-08-29 06:40 225,280 --a------ C:\WINDOWS\system32\es.dll
2008-08-11 08:44 . 2002-08-29 06:41 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2008-08-11 08:44 . 2002-08-29 06:40 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2008-08-11 08:42 . 2002-08-29 06:40 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-08-11 08:41 . 2002-08-29 06:40 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2008-08-11 08:41 . 2002-08-29 06:40 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2008-08-11 08:41 . 2002-08-29 06:41 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2008-08-11 08:41 . 2002-08-29 06:40 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2008-08-11 08:41 . 2002-08-29 06:40 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2008-08-11 08:41 . 2002-08-29 06:41 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2008-08-11 08:39 . 2002-08-29 06:40 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2008-08-11 08:39 . 2002-08-29 06:40 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2008-08-11 08:39 . 2002-08-29 06:40 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2008-08-11 08:39 . 2002-08-29 06:40 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2008-08-11 08:39 . 2002-08-29 06:41 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2008-08-11 08:39 . 2002-08-29 06:40 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2008-08-11 08:39 . 2002-08-29 06:40 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2008-08-11 08:39 . 2002-08-29 06:41 41,984 --a------ C:\WINDOWS\system32\alg.exe
2008-08-11 08:39 . 2002-08-29 04:05 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2008-08-09 14:44 . 2008-08-09 14:44 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 21:45 13,012 ----a-w C:\Documents and Settings\Lisa\Bubblets.dat
2007-10-30 17:07 13,012 ----a-w C:\Documents and Settings\Vinton\Bubblets.dat
2004-11-07 15:11 74,392 ----a-w C:\Documents and Settings\Vinton\Application Data\GDIPFONTCACHEV1.DAT
2004-07-17 23:42 271 --sh--w C:\Program Files\desktop.ini
2004-07-17 23:42 21,952 ---ha-w C:\Program Files\folder.htt
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 06:41 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 06:41 13312]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 07:00 90182]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 06:00 139347]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2001-10-23 10:16 73728]
"WinampAgent"="D:\Program Files\Winamp\Winampa.exe" [2003-04-01 22:20 12288]
"mmtask"="D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-22 19:20 53248]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 10:16 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-06-14 10:28 851968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]
"InCD"="D:\Program Files\Ahead\InCD\InCD.exe" [2004-09-07 09:25 1400944]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2005-01-30 21:24:34 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Int Service"=2 (0x2)

R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 10:42]
S3 870cc79c-f3d1-46da-8887-ad1507827a7a;870cc79c-f3d1-46da-8887-ad1507827a7a;G:\Player\cds300.dll []
.
Contents of the 'Scheduled Tasks' folder

2007-12-12 C:\WINDOWS\Tasks\shutdown.exe.job
- C:\Documents and Settings\Vinton\Desktop\shutdown.exe.lnk [2007-12-11 23:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HijackThis startup scan - D:\Program Files\HijackThis\HijackThis.exe
HKLM-Run-C:\WINDOWS\System32\kdzpg.exe - C:\WINDOWS\system32\kdzpg.exe
HKLM-Run-1cfccd5f - C:\WINDOWS\System32\bqltymfp.dll
HKLM-Run-BM1fcffec3 - C:\WINDOWS\System32\fqrloldf.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Vinton\Application Data\Mozilla\Firefox\Profiles\nwzrvd5r.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 15:27:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\System32\\kdzpg.exe"="C:\\WINDOWS\\system32\\kdzpg.exe"
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Microsoft Office\Office10\MSOFFICE.EXE
.
**************************************************************************
.
Completion time: 2008-08-11 15:33:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 19:33:12

Pre-Run: 5,788,672,000 bytes free
Post-Run: 6,389,448,704 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

251



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:30 PM, on 8/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UPSAPPS\DSCommon\TOOLS\DSPrintKey.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] D:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.keepandshare.com/imageuploader4...geUploader4.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 7037 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users