Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Muicache


  • This topic is locked This topic is locked
73 replies to this topic

#1 despondent

despondent

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 29 August 2008 - 11:14 PM

Hi Boopme, Per your request, Here is my HJT log
thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:52 PM, on 8/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} - http://pictures05.aim.com/ygp/aol/plugin/d...AIM.9.5.1.5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O20 - AppInit_DLLs: bpjszn.dll
O21 - SSODL: afuKLgRnjgLa - {449F2B7C-EE35-81D6-5F90-A3B86BE59890} - C:\WINDOWS\system32\fwyvwk.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6139 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 13 September 2008 - 10:34 PM

Hello, despondent.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 19 September 2008 - 04:12 PM

Hello, despondent.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 27 September 2008 - 03:57 PM

User returned; Topic reopened. Please post your Log(s) below :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 27 September 2008 - 05:34 PM

i havent turned on the infected computer since i took that log in the first post of this thread- it should have remained the same right? or do i still need to repost it..... ?

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 27 September 2008 - 06:53 PM

Yes, please take a fresh log and post it. Sometimes these infections will get things even in a few seconds; changes over the internet and that sort of thing :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 28 September 2008 - 03:48 PM

hi Billy,
here is the log file. Just some background information for you: I got that Antivirus 2008 virus in my system tray and I stupidly clicked on it. I then used combofix & malwarebytes to remove the virus. That cleared it out of most of my system and registry, but when I search the registry for "j0e" and "buritos" files still appear in the MUICache folder. So I am trying to remove in the final remnants of the virus. Also, the "my computer" icon on the desktop is gone and the "show desktop" icon in the tray is gone.

Thanks for your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:32 PM, on 9/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} - http://pictures05.aim.com/ygp/aol/plugin/d...AIM.9.5.1.5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2
O20 - AppInit_DLLs: bpjszn.dll
O21 - SSODL: afuKLgRnjgLa - {449F2B7C-EE35-81D6-5F90-A3B86BE59890} - C:\WINDOWS\system32\fwyvwk.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5891 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 28 September 2008 - 04:02 PM

Hello, despondent.
Please post the ComboFix log from when you ran it before. It will be located at C:\Combofix.txt

Download FileFind.zip and unzip to your desktop.
  • Double-click FindFile.exe
  • In the box labeled "Enter the directory to search" enter the Drive: C:\
  • In the box labeled "Enter the File to Search" bpjszn.dll to search for the file(s).
  • Click "Find" to begin the search.
  • When the search is done, it will list the total number of files found.
  • Double-click on "Export"
  • This will create and save a text file named export.txt in the root of your C:\ directory.
  • Locate export.txt and copy/paste its contents in your next post.
In your next reply, please include the following:
  • FileFind log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 28 September 2008 - 04:29 PM

hello Billy,

Below I have pasted the following items:
1. the original combofix log
2. I ran findfilel program. it did not find the file "bpjszn.dll"
3.I reran HJT and posted the logs

Attached Files



#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 28 September 2008 - 05:57 PM

Please delete and redownload combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then re-run it. Please post the log it generates here.

Also, please copy and paste the log in here rather than attaching it :thumbsup: Thanks!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 28 September 2008 - 09:37 PM

uh oh. i got a windows popup whilst running CF and it said files that windows needs to run properly have been replaced by unrecognizable versions and that i must place the windows cd rom to run my computer....... is that ok...?

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 28 September 2008 - 09:39 PM

Yes, it appears malware has overwritten a lot of your windows innards. CF will attempt to repair this which can trigger the warnings :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 28 September 2008 - 09:42 PM

now that CF is finish running, there is a dialog box that says "are you sure you want to keep the unrecognizable files?" and I have the option of clicking yes or no. What should I do?

Here is the log file from CF:
ComboFix 08-09-27.06 - User 2008-09-28 19:34:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.146 [GMT -7:00]
Running from: E:\ComboFix2.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nbynfish.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-08-29 21:12 . 2008-08-29 21:12 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 20:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-28 02:21 --------- d-----w C:\Documents and Settings\User\Application Data\Malwarebytes
2008-08-28 02:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-28 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 23:21 --------- d-----w C:\Program Files\hjt
2008-08-24 21:51 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-08-24 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 17:26 --------- d-----w C:\Documents and Settings\User\Application Data\mIRC
2008-08-24 17:24 15,872 ----a-w C:\WINDOWS\system32\svchost.exe
2008-08-21 01:55 --------- d-----w C:\Program Files\mIRC
2008-08-17 22:04 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 22:04 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 23:27 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2006-10-03 01:25 25,888 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-06-11 20:06 24,648 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2004-12-30 22:16 32 -csha-w C:\WINDOWS\{317B6CDF-AD65-4047-AEE1-D7D6AECA0667}.dat
2004-12-30 21:57 32 --sha-w C:\WINDOWS\{6DDBDBAA-CCB7-4ED6-B9AA-5FF32BABB451}.dat
2004-12-30 22:15 32 --sha-w C:\WINDOWS\{7E2CC4A7-6CBE-4E0D-853F-C5A1067BB42A}.dat
2004-12-30 22:16 32 -csha-w C:\WINDOWS\{8084A888-656C-437D-8807-677EB9D52A52}.dat
2004-12-30 22:16 32 -csha-w C:\WINDOWS\{B1AB0DD9-8C71-4C6E-97E7-B7C19A5C35DA}.dat
2004-12-30 22:17 32 --sha-w C:\WINDOWS\{FB26BED1-A42D-465F-B8CD-F19C9FB7D593}.dat
2004-12-30 21:57 32 --sha-w C:\WINDOWS\system32\{2F6C9DB4-6261-48D0-8CFA-EE3BD868071C}.dat
2004-12-30 22:16 32 -csha-w C:\WINDOWS\system32\{43F1C9F4-F296-421A-B175-1740F75CB1AD}.dat
2004-12-30 22:17 32 --sha-w C:\WINDOWS\system32\{7EBF173B-2B93-426A-83B9-D5A9F5BCB857}.dat
2004-12-30 22:16 32 --sha-w C:\WINDOWS\system32\{87F697D2-2733-470E-84AA-34FE0FBE4D70}.dat
2004-12-30 22:16 32 -csha-w C:\WINDOWS\system32\{DE365C18-19D8-4F2F-B6CF-A63685B3AC89}.dat
2004-12-30 22:15 32 --sha-w C:\WINDOWS\system32\{E60AED3F-9FDA-4C12-82F5-D092E6B42250}.dat
.

------- Sigcheck -------

md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2003-03-31 12:00 520704 caa33502163c7033a374d6179dc22332 C:\WINDOWS\system32\winlogon.exe

2003-03-31 12:00 1007104 176a115c9d0a3c8c1331c21027d1c91f C:\WINDOWS\explorer.exe

md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2005-06-10 16:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2003-03-31 12:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
.
((((((((((((((((((((((((((((( snapshot@2008-08-24_18.50.13.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-25 01:09:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-29 01:09:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-25 01:09:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-29 01:09:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-29 01:09:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-08-17 22:36:42 24,064 -c--a-w C:\WINDOWS\system32\dllcache\devldr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 58392]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-06-11 100056]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2004-12-30 209016]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"afuKLgRnjgLa"= {449F2B7C-EE35-81D6-5F90-A3B86BE59890} - C:\WINDOWS\system32\fwyvwk.dll [2003-03-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bpjszn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-12-08 15:50 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 13:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 11:05 53248 c:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{04057FC3-B9BE-4174-80AB-9F0823E2AC5E}: NameServer = 64.81.127.2

O16 -: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} - hxxp://pictures05.aim.com/ygp/aol/plugin/download/YGPPicDownload.en-US-AIM.9.5.1.5.cab
C:\WINDOWS\Downloaded Program Files\YGPPicDownload.en-US-AIM.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 19:37:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-28 19:39:11
ComboFix-quarantined-files.txt 2008-09-29 02:39:04
ComboFix2.txt 2008-08-25 01:55:23

Pre-Run: 911,335,424 bytes free
Post-Run: 905,973,760 bytes free

145

#14 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 28 September 2008 - 09:44 PM

omg you are lightening fast.... :thumbsup:

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:43 AM

Posted 28 September 2008 - 09:53 PM

Hello, despondent.

now that CF is finish running, there is a dialog box that says "are you sure you want to keep the unrecognizable files?" and I have the option of clicking yes or no. What should I do?

It will keep prompting for a windows disk if you select No. If you have a windows disk, please insert it and press no. If you don't press yes and we'll deal with it from there :)

omg you are lightening fast.... :thumbsup:

That's because I have no life :)

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
    C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    C:\WINDOWS\{317B6CDF-AD65-4047-AEE1-D7D6AECA0667}.dat
    C:\WINDOWS\{6DDBDBAA-CCB7-4ED6-B9AA-5FF32BABB451}.dat
    C:\WINDOWS\{7E2CC4A7-6CBE-4E0D-853F-C5A1067BB42A}.dat
    C:\WINDOWS\{8084A888-656C-437D-8807-677EB9D52A52}.dat
    C:\WINDOWS\{B1AB0DD9-8C71-4C6E-97E7-B7C19A5C35DA}.dat
    C:\WINDOWS\{FB26BED1-A42D-465F-B8CD-F19C9FB7D593}.dat
    C:\WINDOWS\system32\{2F6C9DB4-6261-48D0-8CFA-EE3BD868071C}.dat
    C:\WINDOWS\system32\{43F1C9F4-F296-421A-B175-1740F75CB1AD}.dat
    C:\WINDOWS\system32\{7EBF173B-2B93-426A-83B9-D5A9F5BCB857}.dat
    C:\WINDOWS\system32\{87F697D2-2733-470E-84AA-34FE0FBE4D70}.dat
    C:\WINDOWS\system32\{DE365C18-19D8-4F2F-B6CF-A63685B3AC89}.dat
    C:\WINDOWS\system32\{E60AED3F-9FDA-4C12-82F5-D092E6B42250}.dat
    C:\WINDOWS\system32\fwyvwk.dll
    
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "afuKLgRnjgLa"=
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 28 September 2008 - 09:53 PM.
Reordered instructions

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users