Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • This topic is locked This topic is locked
19 replies to this topic

#1 KKelvin

KKelvin

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 September 2008 - 01:03 PM

Hi, i can't open my internet browser. I ran spybot in safemode which remove some of the infections(like webhancer, commandservice) but not smitfraud. Im posting this question, using a different computer since the one that is having problem cannot go on the internet. How can i fix/remove smitfraud and get internet access back?

By the way, how can i fix it if i am unable to access the internet and unable to download the necessary fixes? For example i wouldn't be able to download combofix or an antivirus that you might instruct me to get.

This is the hijackthis log that i copy from the infected computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:19 AM, on 9/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [90aa558c] rundll32.exe "C:\WINDOWS\system32\fusdgqhu.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM93996610] Rundll32.exe "C:\WINDOWS\system32\tkcvwwdr.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA2780] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5007] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA832] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4691] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\Run: [prunnet] "C:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe"
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://qcmail.qc.cuny.edu/dwa7W.cab
O20 - AppInit_DLLs: mgcmag.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 6224 bytes

BC AdBot (Login to Remove)

 


#2 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 September 2008 - 01:10 PM

I know i dont have anti-virus. Cant access internet due to infection, so i am unable to download. I do however have hijackthis and spybot alrdy on the infected computer.

HELP!!!!

Edited by KKelvin, 21 September 2008 - 10:13 PM.


#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:58 AM

Posted 26 September 2008 - 06:30 PM

Hello, KKelvin.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 03:20 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:28 PM, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\World of Warcraft\BackgroundDownloader.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [BM93996610] Rundll32.exe "C:\WINDOWS\system32\dfiffnyj.dll",s
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://qcmail.qc.cuny.edu/dwa7W.cab
O20 - AppInit_DLLs: wxjtvu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 5520 bytes

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:58 AM

Posted 28 September 2008 - 03:21 PM

Hello, KKelvin.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 03:22 PM

I can now access the internet but can only go on some sites not all. For example i can go on youtube.com but not bleepingcomputer.com.

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:58 AM

Posted 28 September 2008 - 03:40 PM

Hello, KKelvin.

Can you access any of the three mirrors listed on the instructions page to download CF?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 04:04 PM

When i drag the winrecover icon over the combofix it strts the scan then a message appear saying
"This machine already have recovery console installed, aborting operation"

while scanning the combofix gave me a message "the file or directory c:\$mft is corrupt and unreadable. please run the Chkdsk utility"
and another similar message, but before i can copy it down my screeen blacked out and my comp is now restrting.

#9 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 04:33 PM

ComboFix 08-09-27.05 - Owner 2008-09-28 16:55:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\Owner\Cookies\owner@www.revisitors[2].txt
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\GetPack
C:\Program Files\GetPack\dictame.gz
C:\Program Files\GetPack\GetPack21.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\Twain\Twain.exe
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\VnrBlock21.exe
C:\Program Files\VnrBlock\xoffdic.gz
C:\Program Files\VnrBlock\xtarga.gz
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\b161.exe
C:\WINDOWS\BM93996610.txt
C:\WINDOWS\BM93996610.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\faceback.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pxhelp200.sys
C:\WINDOWS\system32\eeefPqss.ini
C:\WINDOWS\system32\eeefPqss.ini2
C:\WINDOWS\system32\fatcjorg.ini
C:\WINDOWS\system32\geBuTJbA.dll
C:\WINDOWS\system32\hwvfdtgp.ini
C:\WINDOWS\system32\inf\TNP43I46.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qgfrsgbs.ini
C:\WINDOWS\system32\qjotldgc.ini
C:\WINDOWS\system32\smmyaynm.ini
C:\WINDOWS\system32\ssqPfeee.dll
C:\WINDOWS\system32\uhqgdsuf.ini
C:\WINDOWS\system32\urqPfDUO.dll
C:\WINDOWS\system32\xwapjwua.ini
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_PXHELP200
-------\Legacy_TNIDRIVER
-------\Service_pxhelp200


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 17:06 . 2008-09-28 17:06 22 --a------ C:\WINDOWS\pskt.ini
2008-09-28 17:06 . 2008-09-28 17:06 0 --a------ C:\WINDOWS\BM93996610.xml
2008-09-28 00:28 . 2008-09-28 00:28 128,000 --a------ C:\WINDOWS\system32\wxjtvu.dll
2008-09-28 00:28 . 2008-09-28 00:28 128,000 --a------ C:\WINDOWS\system32\njoqsrsf.dll
2008-09-28 00:25 . 2008-09-28 00:25 71,168 --a------ C:\WINDOWS\system32\pgtdfvwh.dll
2008-09-28 00:22 . 2008-09-28 00:22 105,984 --a------ C:\WINDOWS\system32\dfiffnyj.dll
2008-09-27 00:26 . 2008-09-27 00:26 128,000 --a------ C:\WINDOWS\system32\vhalzk.dll
2008-09-27 00:26 . 2008-09-27 00:26 128,000 --a------ C:\WINDOWS\system32\nyxwshmo.dll
2008-09-27 00:23 . 2008-09-27 00:23 71,168 --a------ C:\WINDOWS\system32\sbgsrfgq.dll
2008-09-27 00:20 . 2008-09-27 00:20 105,984 --a------ C:\WINDOWS\system32\ircxbydc.dll
2008-09-26 00:24 . 2008-09-26 00:24 128,000 --a------ C:\WINDOWS\system32\srtipwys.dll
2008-09-26 00:24 . 2008-09-26 00:24 128,000 --a------ C:\WINDOWS\system32\pyixic.dll
2008-09-26 00:19 . 2008-09-26 00:19 95,232 --a------ C:\WINDOWS\system32\bmofsrxr.dll
2008-09-25 00:24 . 2008-09-25 00:24 128,000 --a------ C:\WINDOWS\system32\qbiopbtf.dll
2008-09-25 00:24 . 2008-09-25 00:24 128,000 --a------ C:\WINDOWS\system32\hgqggd.dll
2008-09-25 00:18 . 2008-09-25 00:18 95,232 --a------ C:\WINDOWS\system32\angwmkap.dll
2008-09-24 00:21 . 2008-09-24 00:21 128,000 --a------ C:\WINDOWS\system32\sgbqke.dll
2008-09-24 00:21 . 2008-09-24 00:21 128,000 --a------ C:\WINDOWS\system32\jucvhsni.dll
2008-09-24 00:18 . 2008-09-24 00:18 91,136 --a------ C:\WINDOWS\system32\cgdltojq.dll
2008-09-24 00:16 . 2008-09-24 00:16 95,232 --a------ C:\WINDOWS\system32\ihlqsrhn.dll
2008-09-22 21:40 . 2008-09-28 17:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpeedRunner
2008-09-22 18:01 . 2008-09-28 16:56 <DIR> d-------- C:\Program Files\Twain
2008-09-22 17:56 . 2008-09-22 17:56 <DIR> d-------- C:\Program Files\Webtools
2008-09-22 17:51 . 2008-09-22 17:51 <DIR> d-------- C:\Program Files\Mjcore
2008-09-22 17:51 . 2008-09-22 17:51 119,808 --a------ C:\WINDOWS\system32\lrwedine.dll
2008-09-22 17:51 . 2008-09-22 17:51 119,808 --a------ C:\WINDOWS\system32\ieljpg.dll
2008-09-22 17:50 . 2008-09-22 17:50 90,112 --a------ C:\WINDOWS\system32\qpnjvxyl.dll
2008-09-21 02:19 . 2008-09-21 02:19 119,808 --a------ C:\WINDOWS\system32\woqqrlwj.dll
2008-09-21 02:19 . 2008-09-21 02:19 119,808 --a------ C:\WINDOWS\system32\mgcmag.dll
2008-09-21 02:13 . 2008-09-21 02:13 90,112 --a------ C:\WINDOWS\system32\tkcvwwdr.dll
2008-09-21 02:04 . 2008-09-21 02:04 <DIR> d-------- C:\WINDOWS\system32\p
2008-09-21 02:04 . 2008-09-21 02:04 <DIR> d-------- C:\WINDOWS\system32\np5
2008-09-21 02:04 . 2008-09-21 02:04 <DIR> d-------- C:\WINDOWS\system32\mC19
2008-09-21 02:04 . 2008-09-28 16:57 <DIR> d-------- C:\WINDOWS\system32\inf
2008-09-21 02:04 . 2008-09-21 02:04 <DIR> d-------- C:\WINDOWS\system32\ES
2008-09-21 02:04 . 2008-09-21 02:05 <DIR> d-------- C:\Temp\mtc2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-25 05:57 --------- d-----w C:\Program Files\World of Warcraft
2008-09-19 08:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-03 06:22 --------- d-----w C:\Program Files\Warcraft III
2008-08-26 22:59 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-26 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-08-24 07:26 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2005-08-02 20:46 187,904 --sha-r C:\WINDOWS\S2VsdmluIENoYW4\asappsrv.dll
2005-08-02 20:58 293,888 --sha-r C:\WINDOWS\S2VsdmluIENoYW4\command.exe
2005-07-29 20:24 472 --sha-r C:\WINDOWS\S2VsdmluIENoYW4\mZpPxA5RKHhCsqb.vbs
2008-05-20 21:52 5,024,800 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-20 21:52 121,632 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_16.32.40.60 )))))))))))))))))))))))))))))))))))))))))

#10 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 04:46 PM

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19d50ac3-ecc5-41ae-ac6a-7b6ed9054185}]
2008-09-28 00:28 128000 --a------ C:\WINDOWS\system32\wxjtvu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"HostManager"="C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe" [2006-05-09 50760]
"BM93996610"="C:\WINDOWS\system32\dfiffnyj.dll" [2008-09-28 105984]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxjtvu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93996610]
--a------ 2008-09-24 00:16 95232 C:\WINDOWS\system32\ihlqsrhn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2003-07-28 14:19 49152 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
--a------ 2008-09-22 21:40 35328 C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a--c--- 2008-05-23 18:28 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-08-16 02:55 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"rpcapd"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killahxkelvin@aol.com\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{03EC8CE0-E697-4339-8BC2-2DDF72716A42} - C:\WINDOWS\system32\geBuTJbA.dll
BHO-{E028F127-9439-4A86-ACC1-C3A09DA842C5} - C:\WINDOWS\system32\ssqPfeee.dll
ShellExecuteHooks-{03EC8CE0-E697-4339-8BC2-2DDF72716A42} - C:\WINDOWS\system32\geBuTJbA.dll
Notify-__c007E2CC - C:\WINDOWS\system32\__c007E2CC.dat
MSConfigStartUp-GetPack21 - C:\Program Files\GetPack\GetPack21.exe
MSConfigStartUp-prunnet - C:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe
MSConfigStartUp-runner1 - C:\WINDOWS\faceback.exe
MSConfigStartUp-SpeedRunner - C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-Twain - C:\Program Files\Twain\Twain.exe
MSConfigStartUp-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qenl5jph.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 17:05:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-28 17:18:41 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-28 21:18:37
ComboFix2.txt 2008-01-17 22:06:18
ComboFix3.txt 2008-01-17 21:33:16

Pre-Run: 88,176,984,064 bytes free
Post-Run: 88,139,976,704 bytes free

9310 --- E O F --- 2008-09-10 07:03:31

#11 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 04:47 PM

I couldnt post the whole combofix log since it was too long
the post above is just the beginning section and the final section of the log.

Also after the combofix scan , my mozilla firefox browser lost all its bookmarks. Is this normal?

Edited by KKelvin, 28 September 2008 - 04:52 PM.


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:58 AM

Posted 28 September 2008 - 04:59 PM

Hello, KKelvin.
Yes, you've got yourself quite an infected machine there :thumbsup:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    KILLALL::
    
    file::
    C:\WINDOWS\BM93996610.xml
    C:\WINDOWS\system32\wxjtvu.dll
    C:\WINDOWS\system32\njoqsrsf.dll
    C:\WINDOWS\system32\pgtdfvwh.dll
    C:\WINDOWS\system32\dfiffnyj.dll
    C:\WINDOWS\system32\vhalzk.dll
    C:\WINDOWS\system32\nyxwshmo.dll
    C:\WINDOWS\system32\sbgsrfgq.dll
    C:\WINDOWS\system32\ircxbydc.dll
    C:\WINDOWS\system32\srtipwys.dll
    C:\WINDOWS\system32\pyixic.dll
    C:\WINDOWS\system32\bmofsrxr.dll
    C:\WINDOWS\system32\qbiopbtf.dll
    C:\WINDOWS\system32\hgqggd.dll
    C:\WINDOWS\system32\angwmkap.dll
    C:\WINDOWS\system32\sgbqke.dll
    C:\WINDOWS\system32\jucvhsni.dll
    C:\WINDOWS\system32\cgdltojq.dll
    C:\WINDOWS\system32\ihlqsrhn.dll
    C:\WINDOWS\system32\lrwedine.dll
    C:\WINDOWS\system32\ieljpg.dll
    C:\WINDOWS\system32\qpnjvxyl.dll
    C:\WINDOWS\system32\woqqrlwj.dll
    C:\WINDOWS\system32\mgcmag.dll
    C:\WINDOWS\system32\tkcvwwdr.dll
    C:\WINDOWS\system32\wxjtvu.dll
    C:\WINDOWS\system32\dfiffnyj.dll
    C:\WINDOWS\system32\ihlqsrhn.dll
    
    folder::
    C:\Program Files\Mjcore
    C:\WINDOWS\system32\p
    C:\WINDOWS\system32\np5
    C:\WINDOWS\system32\mC19
    C:\WINDOWS\system32\inf
    C:\WINDOWS\system32\ES
    C:\Temp\mtc2
    C:\WINDOWS\S2VsdmluIENoYW4
    
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19d50ac3-ecc5-41ae-ac6a-7b6ed9054185}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BM93996610"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "cmdService"=-
    "rpcapd"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"=-
    "3724:TCP"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM93996610]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 28 September 2008 - 05:03 PM.
Syntax Error

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 06:28 PM

ComboFix 08-09-27.06 - Owner 2008-09-28 18:54:42.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM93996610.xml
C:\WINDOWS\system32\angwmkap.dll
C:\WINDOWS\system32\bmofsrxr.dll
C:\WINDOWS\system32\cgdltojq.dll
C:\WINDOWS\system32\dfiffnyj.dll
C:\WINDOWS\system32\hgqggd.dll
C:\WINDOWS\system32\ieljpg.dll
C:\WINDOWS\system32\ihlqsrhn.dll
C:\WINDOWS\system32\ircxbydc.dll
C:\WINDOWS\system32\jucvhsni.dll
C:\WINDOWS\system32\lrwedine.dll
C:\WINDOWS\system32\mgcmag.dll
C:\WINDOWS\system32\njoqsrsf.dll
C:\WINDOWS\system32\nyxwshmo.dll
C:\WINDOWS\system32\pgtdfvwh.dll
C:\WINDOWS\system32\pyixic.dll
C:\WINDOWS\system32\qbiopbtf.dll
C:\WINDOWS\system32\qpnjvxyl.dll
C:\WINDOWS\system32\sbgsrfgq.dll
C:\WINDOWS\system32\sgbqke.dll
C:\WINDOWS\system32\srtipwys.dll
C:\WINDOWS\system32\tkcvwwdr.dll
C:\WINDOWS\system32\vhalzk.dll
C:\WINDOWS\system32\woqqrlwj.dll
C:\WINDOWS\system32\wxjtvu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\SpeedRunner
C:\Program Files\Mjcore
C:\Program Files\Mjcore\Mjcore.dll
C:\Temp\mtc2
C:\Temp\mtc2\h5v.log
C:\WINDOWS\BM93996610.txt
C:\WINDOWS\BM93996610.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\S2VsdmluIENoYW4
C:\WINDOWS\S2VsdmluIENoYW4\asappsrv.dll
C:\WINDOWS\S2VsdmluIENoYW4\command.exe
C:\WINDOWS\S2VsdmluIENoYW4\mZpPxA5RKHhCsqb.vbs
C:\WINDOWS\system32\angwmkap.dll
C:\WINDOWS\system32\bmofsrxr.dll
C:\WINDOWS\system32\cgdltojq.dll
C:\WINDOWS\system32\dfiffnyj.dll
C:\WINDOWS\system32\ES
C:\WINDOWS\system32\ES\ixp6453.exe
C:\WINDOWS\system32\hgqggd.dll
C:\WINDOWS\system32\ieljpg.dll
C:\WINDOWS\system32\ihlqsrhn.dll
C:\WINDOWS\system32\inf
C:\WINDOWS\system32\ircxbydc.dll
C:\WINDOWS\system32\jucvhsni.dll
C:\WINDOWS\system32\lrwedine.dll
C:\WINDOWS\system32\mC19
C:\WINDOWS\system32\mC19\mC191065.exe
C:\WINDOWS\system32\mgcmag.dll
C:\WINDOWS\system32\njoqsrsf.dll
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\np5\sfeth112.exe
C:\WINDOWS\system32\nyxwshmo.dll
C:\WINDOWS\system32\p
C:\WINDOWS\system32\p\xerd2140.exe
C:\WINDOWS\system32\pgtdfvwh.dll
C:\WINDOWS\system32\pyixic.dll
C:\WINDOWS\system32\qbiopbtf.dll
C:\WINDOWS\system32\qpnjvxyl.dll
C:\WINDOWS\system32\sbgsrfgq.dll
C:\WINDOWS\system32\sgbqke.dll
C:\WINDOWS\system32\srtipwys.dll
C:\WINDOWS\system32\tkcvwwdr.dll
C:\WINDOWS\system32\vhalzk.dll
C:\WINDOWS\system32\woqqrlwj.dll
C:\WINDOWS\system32\wxjtvu.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-22 18:01 . 2008-09-28 16:56 <DIR> d-------- C:\Program Files\Twain
2008-09-22 17:56 . 2008-09-22 17:56 <DIR> d-------- C:\Program Files\Webtools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-25 05:57 --------- d-----w C:\Program Files\World of Warcraft
2008-09-19 08:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-03 06:22 --------- d-----w C:\Program Files\Warcraft III
2008-08-26 22:59 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-26 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-08-24 07:26 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-05-20 21:52 5,024,800 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-20 21:52 121,632 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"HostManager"="C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe" [2006-05-09 50760]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxjtvu.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2003-07-28 14:19 49152 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
--a------ 2008-09-22 21:40 35328 C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a--c--- 2008-05-23 18:28 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-08-16 02:55 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killahxkelvin@aol.com\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 19:05:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-28 19:17:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 23:17:47
ComboFix2.txt 2008-09-28 21:18:42
ComboFix3.txt 2008-01-17 22:06:18
ComboFix4.txt 2008-01-17 21:33:16

Pre-Run: 88,101,494,784 bytes free
Post-Run: 88,085,143,552 bytes free

194 --- E O F --- 2008-09-10 07:03:31

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:58 AM

Posted 28 September 2008 - 08:22 PM

Hello, KKelvin.
Grrr... some of it came back. Let's try one more time:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    KILLALL::
    
    file::
    C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe
    
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 KKelvin

KKelvin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 28 September 2008 - 09:52 PM

ComboFix 08-09-27.06 - Owner 2008-09-28 22:34:06.7 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\qiywib.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-22 18:01 . 2008-09-28 16:56 <DIR> d-------- C:\Program Files\Twain
2008-09-22 17:56 . 2008-09-22 17:56 <DIR> d-------- C:\Program Files\Webtools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-25 05:57 --------- d-----w C:\Program Files\World of Warcraft
2008-09-19 08:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-09-03 06:22 --------- d-----w C:\Program Files\Warcraft III
2008-08-26 22:59 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-26 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-08-24 07:26 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-05-20 21:52 5,024,800 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-20 21:52 121,632 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 4841472]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"HostManager"="C:\Program Files\Common Files\AOL\1139185461\ee\AOLSoftware.exe" [2006-05-09 50760]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 16384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2003-07-28 14:19 49152 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a--c--- 2008-05-23 18:28 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-08-16 02:55 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 18:35 3587120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Steam\\SteamApps\\killahxkelvin@aol.com\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 22:39:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-28 22:51:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 02:51:33
ComboFix2.txt 2008-09-28 23:17:51
ComboFix3.txt 2008-09-28 21:18:42
ComboFix4.txt 2008-01-17 22:06:18
ComboFix5.txt 2008-09-29 02:33:01

Pre-Run: 88,078,880,768 bytes free
Post-Run: 88,067,616,768 bytes free

120 --- E O F --- 2008-09-10 07:03:31




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users