Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Trojan


  • Please log in to reply
11 replies to this topic

#1 spaulds

spaulds

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 04:04 PM

I have so many things wrong, have been working on this all day. I think I followed all the steps posted here. It started with slow computer and sounds blasts coming from nowhere. Then last night the PC shut down and wouldnt reboot. I went into safe mode,

I have run

LSPfix
Adaware
Moveit
Trend Micro Internet Security

I am now able to boot the computer in regular mode, but the sound blasts are still there, and occassional bursts of multiple windows opening that say "luckyclick..." in title

I have been working on this since last night, and then all day today. My brain is fried and I am goign to take a break. I am hoping someone will have some advice when I get back. Thank you in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:26 PM, on 8/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\inf\svchoct.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\DllHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKLM\..\Policies\Explorer\Run: [minitnyus] C:\WINNT\system32\inf\svchosd.exe C:\WINNT\wftadfi16_080819a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINNT\system32\inf\svchoct.exe C:\WINNT\wftadfi16_080828a.dll tanlt88
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: zordisa.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

--
End of file - 7165 bytes

-----this is from an earlier Hijackthis run so you can see files I have disabled and deleted in case it makes something I missed pop out------
------please keep in mind I deleted a lot of things fromt he one below already-------------------------
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINNT\system32\AFinding.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINNT\system32\macidwe.exe
O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINNT\system32\Nobicyt.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)
O23 - Service: roxtctm Settings storage service (roxtctm) - Unknown owner - C:\WINNT\system32\roxtctm.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINNT\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINNT\system32\tdxdowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINNT\system32\WServing.exe

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 29 August 2008 - 06:41 PM

Hello spaulds

Welcome to BleepingComputer :thumbsup:
========================
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
===============================
First::
The first thing I will need you to do is to Download ONE of these anti-virus programs and install it.
These are free.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir
=====================
Then::
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 spaulds

spaulds
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 07:51 PM

Hello Kahdah

Thank you for your quick response. I followed your instructions (I think) I had a problem rebooting, it took two tries but it was able to boot the second try without having to go to safe mode. I am getting all kinds of error messages when it does boot.



ComboFix 08-08-29.02 - chris 08/29/2008 20:22:36.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1738 [GMT -4:00]
Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\CHRIS~1.SER\LOCALS~1\Temp\WowInitcode.dll
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\bin.clearspring.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\index.dat
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\bin.clearspring.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com\ud.sol
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\WINNT\dcbdcatys32_080823a.dll
C:\WINNT\dcbdcatys32_080828a.dll
C:\WINNT\Install.txt
C:\WINNT\system\sgcxcxxaspf080828.exe
C:\WINNT\system32\comsa32.sys
C:\WINNT\system32\dbi102.dll
C:\WINNT\system32\drivers\secdrv.sys
C:\WINNT\system32\inf\scsys16_080828.dll
C:\WINNT\system32\inf\sppdcrs080828.scr
C:\WINNT\system32\inf\svchoct.exe
C:\WINNT\system32\inf\svchosd.exe
C:\WINNT\system32\Install.txt
C:\WINNT\system32\KarnaDrv.dll
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\mmchost.dll
C:\WINNT\system32\mywfhit.ini
C:\WINNT\system32\mywfhit.ini.tmp
C:\WINNT\system32\REGOBJ.DLL
C:\WINNT\system32\rtl60.bpl
C:\WINNT\system32\syspilog.pil
C:\WINNT\system32\tmp0_185021627040.bk
C:\WINNT\system32\tmp0_203809273674.bk
C:\WINNT\system32\tmp0_71020647038.bk
C:\WINNT\system32\tmpacj0.exe
C:\WINNT\system32\zordisa.dll
C:\WINNT\tawisys.ini
C:\WINNT\Web\default.htt
C:\WINNT\wftadfi16_080828a.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PANDRV
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_SEICTRL
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_macidwe
-------\Service_Pandrv
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_seictrl
-------\Service_sobicyt
-------\Service_tdxdowkc
-------\Service_wserving


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 20:22 . 08-08-29 20:22 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_300.dat
2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster
2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack
2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware
2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix
2008-08-23 16:51 . 08-08-23 16:51 <DIR> d-------- C:\WINNT\system32\1024
2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX
2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6
2008-08-21 05:14 . 08-08-21 05:14 <DIR> d-------- C:\windows
2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData
2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf
2008-08-10 18:13 . 08-08-10 18:13 12,586 --a------ C:\Program Files\wsv.exe
2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue
2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 14:36 --------- d-----w C:\Program Files\Google
2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars
2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon
2008-06-25 19:35 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2008-06-25 19:35 601,088 ----a-w C:\WINNT\system32\INETCOMM.DLL
2008-06-25 19:35 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2008-06-25 19:35 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2008-06-25 19:34 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2008-06-25 12:51 69,904 ----a-w C:\WINNT\system32\mscms.dll
2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll
2008-06-20 13:53 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-05-16 15:58 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini
2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt
2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2000-02-02 00:01 40,960 --sh--r C:\WINNT\system32\Karna1Drv.dll
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]


--------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49, on 2008-08-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [combofix] C:\WINNT\system32\CF25768.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\1024\SVCHOST.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPSE Service (Messager) - Unknown owner - c:\windows\svchost.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

--
End of file - 6894 bytes


Thank you for your help!!!

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 29 August 2008 - 08:47 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\wsv.exe
C:\WINNT\system32\Karna1Drv.dll
c:\windows\svchost.exe

Folder::
C:\WINNT\system32\1024

Driver::
Messager

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 spaulds

spaulds
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 09:09 PM

Hi Kahdah

It booted first shot this time...still an error message or two.


ComboFix 08-08-29.02 - chris 2008-08-29 21:53:29.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1763 [GMT -4:00]
Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chris.SERVER\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\wsv.exe
c:\windows\svchost.exe
C:\WINNT\system32\Karna1Drv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\wsv.exe
c:\windows\svchost.exe
C:\WINNT\system32\1024
C:\WINNT\system32\1024\svchost.exe
C:\WINNT\system32\Karna1Drv.dll
.
---- Previous Run -------
.
C:\DOCUME~1\CHRIS~1.SER\LOCALS~1\Temp\WowInitcode.dll
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\bin.clearspring.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\chris\Local Settings\Temporary Internet Files\index.dat
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\bin.clearspring.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\#SharedObjects\742P5WW9\interclick.com\ud.sol
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Default User.WINNT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\WINNT\dcbdcatys32_080823a.dll
C:\WINNT\dcbdcatys32_080828a.dll
C:\WINNT\Install.txt
C:\WINNT\system\sgcxcxxaspf080828.exe
C:\WINNT\system32\comsa32.sys
C:\WINNT\system32\dbi102.dll
C:\WINNT\system32\drivers\secdrv.sys
C:\WINNT\system32\inf\scsys16_080828.dll
C:\WINNT\system32\inf\sppdcrs080828.scr
C:\WINNT\system32\inf\svchoct.exe
C:\WINNT\system32\inf\svchosd.exe
C:\WINNT\system32\Install.txt
C:\WINNT\system32\KarnaDrv.dll
C:\WINNT\system32\mdm.exe
C:\WINNT\system32\mmchost.dll
C:\WINNT\system32\mywfhit.ini
C:\WINNT\system32\mywfhit.ini.tmp
C:\WINNT\system32\REGOBJ.DLL
C:\WINNT\system32\rtl60.bpl
C:\WINNT\system32\syspilog.pil
C:\WINNT\system32\tmp0_185021627040.bk
C:\WINNT\system32\tmp0_203809273674.bk
C:\WINNT\system32\tmp0_71020647038.bk
C:\WINNT\system32\tmpacj0.exe
C:\WINNT\system32\zordisa.dll
C:\WINNT\tawisys.ini
C:\WINNT\Web\default.htt
C:\WINNT\wftadfi16_080828a.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PANDRV
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_SEICTRL
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_macidwe
-------\Service_Pandrv
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_seictrl
-------\Service_sobicyt
-------\Service_tdxdowkc
-------\Service_wserving
-------\Legacy_MESSAGER
-------\Service_Messager


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster
2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack
2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware
2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix
2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX
2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6
2008-08-21 05:14 . 08-08-29 21:53 <DIR> d-------- C:\windows
2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData
2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf
2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue
2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 14:36 --------- d-----w C:\Program Files\Google
2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars
2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon
2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini
2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt
2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 36975]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-04 00:09 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [08-05-14 15:17 2682216]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe]
"WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-29 00:58 43008 C:\WINNT\system32\WFXSNT40.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640]

C:\Documents and Settings\chris\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624]

C:\Documents and Settings\chris.SERVER\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2006-02-14 14:14:56 542208]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-03-10 10:40:30 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [98-07-27 05:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zordisa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [05-03-10 08:30 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 15:05 ]
S0 lannui;LAN MSFW adapter;C:\WINNT\system32\lannui.sys []
S4 nobicyt;nobicyt Service;C:\WINNT\system32\Nobicyt.exe []
S4 wfxsvc;WinFax PRO;C:\WINNT\system32\WFXSVC.EXE [00-09-29 00:58 ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 21:59:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-29 22:03:05 - machine was rebooted [chris]
ComboFix-quarantined-files.txt 2008-08-30 02:02:58

Pre-Run: 593,588,224 bytes free
Post-Run: 582,934,528 bytes free

173 --- E O F --- 2008-08-29 15:54:32

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 29 August 2008 - 09:14 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
lannui
nobicyt

File::
C:\WINNT\system32\lannui.sys
C:\WINNT\system32\Nobicyt.exe 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 spaulds

spaulds
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 09:46 PM

I am getting less error messages.

ComboFix 08-08-29.02 - chris 08/29/2008 22:32:00.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1750 [GMT -4:00]
Running from: C:\Documents and Settings\chris.SERVER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\chris.SERVER\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\lannui.sys
C:\WINNT\system32\Nobicyt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\#SharedObjects\5EBJ5Z2F\interclick.com\ud.sol
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\chris.SERVER\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOBICYT
-------\Service_lannui
-------\Service_nobicyt


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-29 13:43 . 08-08-29 13:43 <DIR> d-------- C:\Program Files\Registry Booster
2008-08-29 13:10 . 08-08-29 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 13:09 . 08-08-29 13:22 <DIR> d-------- C:\Program Files\hijack
2008-08-29 12:59 . 08-08-29 12:59 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-08-29 11:53 . 08-08-29 11:53 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-08-29 11:31 . 08-08-29 11:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-29 11:31 . 08-08-29 11:39 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2008-08-29 11:26 . 08-08-29 11:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-29 11:24 . 08-08-29 11:25 <DIR> d-------- C:\Program Files\AdAware
2008-08-29 10:20 . 08-08-29 10:37 <DIR> d-------- C:\Program Files\LSPFix
2008-08-23 16:51 . 08-08-23 16:51 108,336 --a------ C:\WINNT\system32\MSWINSCK.OCX
2008-08-22 13:20 . 08-08-25 14:29 <DIR> d-------- C:\Documents and Settings\chris.SERVER\.housecall6.6
2008-08-21 05:14 . 08-08-29 21:53 <DIR> d-------- C:\windows
2008-08-20 12:57 . 08-08-20 12:57 <DIR> d---s---- C:\Documents and Settings\Default User.WINNT\UserData
2008-08-18 22:53 . 08-08-29 20:23 <DIR> d-------- C:\WINNT\system32\inf
2008-07-12 12:23 . 08-07-12 12:23 <DIR> d-------- C:\Documents and Settings\chris.SERVER\Application Data\Uniblue
2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 14:36 --------- d-----w C:\Program Files\Google
2008-08-29 04:00 --------- d---a-w C:\Program Files\PokerStars
2008-08-08 04:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-08 04:28 --------- d-----w C:\Documents and Settings\chris.SERVER\Application Data\Verizon
2005-08-15 18:43 271 ---h--w C:\Program Files\desktop.ini
2005-08-15 18:43 21,952 ---h--w C:\Program Files\folder.htt
2004-12-16 15:02 7,741,352 ----a-w C:\Program Files\DivX521XP2K.exe
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [06-11-30 22:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [BU]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [07-03-01 10:37 2321600]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 36975]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-04 00:09 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 39792]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [08-05-14 15:17 2682216]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe]
"WinFaxAppPortStarter"="wfxsnt40.exe" [00-09-29 00:58 43008 C:\WINNT\system32\WFXSNT40.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640]

C:\Documents and Settings\chris\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624]

C:\Documents and Settings\chris.SERVER\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2002-06-24 14:45:24 282624]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2006-02-14 14:14:56 542208]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-03-10 10:40:30 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [98-07-27 05:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [05-03-10 08:30 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 15:05 ]
S4 wfxsvc;WinFax PRO;C:\WINNT\system32\WFXSVC.EXE [00-09-29 00:58 ]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 22:37:10
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-29 22:40:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 02:40:40
ComboFix2.txt 2008-08-30 02:03:05

Pre-Run: 836,153,344 bytes free
Post-Run: 830,291,968 bytes free

107 --- E O F --- 2008-08-29 15:54:32


---------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:20 PM, on 8/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

--
End of file - 6658 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 29 August 2008 - 09:52 PM

Ok good they will stop by the time we are done :thumbsup:

Go ahead and install one of the anti virus programs below:
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir

as long as you only install one.
=====================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==========
Post that Mbam log and a new Hijackthis log and let me know how things are running after that?

Edited by kahdah, 29 August 2008 - 09:52 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 spaulds

spaulds
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 10:31 PM

It didnt have me reboot


Malwarebytes' Anti-Malware 1.25
Database version: 1097
Windows 5.0.2195 Service Pack 4

11:25:45 PM 8/29/2008
mbam-log-08-29-2008 (23-25-45).txt

Scan type: Quick Scan
Objects scanned: 52848
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:36 PM, on 8/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Poker - Bodog\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe

--
End of file - 7521 bytes

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 29 August 2008 - 10:48 PM

Looks good How is everything running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 spaulds

spaulds
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 August 2008 - 11:13 PM

Everything is running great,

with two exceptions:

1. cookieblocker.dll error

2. when I open outlook I get this error about 5 times: error in registry extension "exchange extensions"

I have never seen either of thoe before today.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:20 PM

Posted 30 August 2008 - 06:39 AM

1. cookieblocker.dll error

This has to do with your Ad-Watch Software.
Try to get an update for AD-Aware and see if it fixes it.
If not contact AD-Aware support as this has been an issue before with this software.

2. when I open outlook I get this error about 5 times: error in registry extension "exchange extensions"

For a fix for this see this link please: http://support.microsoft.com/kb/823633

===========================
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users