Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Gadcom.exe and other potential spyware issues


  • This topic is locked This topic is locked
4 replies to this topic

#1 z3n

z3n

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 03 January 2009 - 09:37 AM

About two days ago, my machine suddenly froze up during a download. For a while it was just stalling until all my programs suddenly sprung back to life, and a multitude of pop-up's began to invade my monitor. After fighting with my machines anti-virus software (I currently use AVG-Free) I managed to run enough scans to destroy several malware programs. After running Malwarebytes' Anti-Malware, I was sure that I had the problem solved, but I still experienced several annoying pop-up advertisements running through Internet Explorer.

Some troubling processes that I found in my hunt include Gadcom.exe, but because of the almost anonymous cvshost issue, I cant tell if another viral or malware program is running in the background of my machine. Currently, internet explorer process is constantly popping up in the task manager and I close the process immediately, but I can't figure out how to stop it. I'm very frustrated that I cannot find and kill the process myself, and I would like to know what steps I can take to clean my machine.

I will sum up what I did before posting my log. I hope that helps find the issue.

Discovered suspicious processes, googled several and found Gadcom.exe as a threat.
Ran AVG Scan
Ran Malwarebytes' Anti-Malware; "Removed" Gadcom.exe
Ran Ccleaner through entire registrary and temp internet files for both Internet Explorer and Modzilla Firefox
Got a pop up add after about 10 minutes.

The following is the DSS Log I took afterward:


DDS (Version 1.1.0) - NTFSx86
Run by Z3N at 9:22:02.35 on Sat 01/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.297 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Z3N\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: {e296853c-300a-3c2b-02c4-29f83644accf}: {fcca4463-8f92-4c20-b2c3-a003c358692e} - c:\windows\system32\pghwln.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [NWEReboot]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\z3n\startm~1\programs\startup\sdktra~1.lnk - c:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: xatcore - xatcore.dll
AppInit_DLLs: karina.dat??R?5.1,avgrsstx.dll pghwln.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\z3n\applic~1\mozilla\firefox\profiles\hq7b0k5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://testudo.umd.edu/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-12 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-12 26824]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-12 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-12 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-12 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\z3n\locals~1\temp\aswarkrn.sys --> c:\docume~1\z3n\locals~1\temp\aswArKrn.sys [?]
S3 serb1;serb1;\??\c:\documents and settings\z3n\desktop\maple hax\serbio\serbio\serbio.sys --> c:\documents and settings\z3n\desktop\maple hax\serbio\serbio\serbio.sys [?]
S4 NICSer_WPC300N;NICSer_WPC300N;c:\program files\linksys\wireless-n network monitor\nicserv.exe --> c:\program files\linksys\wireless-n network monitor\NICServ.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-01-02 10:28 134,144 a------- c:\windows\system32\pghwln.dll
2009-01-02 10:28 134,144 a------- c:\windows\system32\fviqyetj.dll

==================== Find3M ====================

2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-18 17:01 79,094 a------- c:\windows\system32\mvdahiukvyapwau.exe
2008-11-16 00:40 21,419 a------- c:\windows\system32\drivers\AegisP.sys
2008-11-05 20:08 26,112 a------- c:\windows\WAVEMIX.DLL
2008-11-05 20:08 21,008 a------- c:\windows\CTL3D.DLL
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-08-12 05:14 17,977 a------- c:\program files\common files\cycynazoq.com
2008-08-12 05:14 14,320 a------- c:\program files\common files\ruja.bin
2008-08-12 05:14 12,802 a------- c:\docume~1\z3n\applic~1\akygax.sys
2008-08-12 05:14 10,903 a------- c:\program files\common files\ijebej.reg
2007-12-23 16:31 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-09-07 03:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 9:23:20.84 ===============
Attached File  Attach.txt   13.5KB   1 downloads

Edited by z3n, 03 January 2009 - 09:47 AM.


BC AdBot (Login to Remove)

 


#2 z3n

z3n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 03 January 2009 - 09:43 AM

When I was running Malbytes' software, I had run it on an older version, and so I am posting the log to show what steps I took.

This is the one before
======================================================================
Malwarebytes' Anti-Malware 1.24
Database version: 1045
Windows 5.1.2600 Service Pack 3

11:37:04 PM 1/2/2009
mbam-log-1-2-2009 (23-37-04).txt

Scan type: Quick Scan
Objects scanned: 44192
Time elapsed: 16 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 22
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\efcAPGxV.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ryomdxwc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRICRhi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{937fc390-458d-4580-8049-b58937fe0ca1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{937fc390-458d-4580-8049-b58937fe0ca1} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqricrhi (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8afef44 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcapgxv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcapgxv -> Delete on reboot.

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\efcAPGxV.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\VxGPAcfe.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\VxGPAcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryomdxwc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cwxdmoyr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRICRhi.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Z3N\Local Settings\Temporary Internet Files\Content.IE5\TE2JX0E3\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvWqOGw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMeEUNe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

=======================================================================





This is the Malbytes log for the scan that I made AFTER upgrading the definitions for the program
======================================================================
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/3/2009 5:03:10 AM
mbam-log-2009-01-03 (05-03-09).txt

Scan type: Quick Scan
Objects scanned: 53491
Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Z3N\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\senekalqgdxvmi.dll (Trojan.Seneka) -> Delete on reboot.
C:\Documents and Settings\Z3N\Local Settings\Temp\winasnet.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Z3N\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Z3N\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Z3N\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.





I'm sorry if I made a mistake in showing this but I'm at a loss of what to do.

#3 z3n

z3n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 03 January 2009 - 09:23 PM

Adding a ComboFix log for a scan I performed a few hours ago.

ComboFix 09-01-02.01 - Z3N 2009-01-03 17:22:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.498 [GMT -5:00]
Running from: c:\documents and settings\Z3N\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Z3N\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Z3N\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\Downloaded Program Files\setup.inf
c:\windows\g32.txt
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaxcbievey.sys
c:\windows\system32\fviqyetj.dll
c:\windows\system32\pghwln.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekafvbrskwr.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekalqgdxvmi.dll
c:\windows\system32\senekavcjaomyy.dll
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-03 10:01 . 2009-01-03 12:46 <DIR> d-------- c:\program files\a-squared Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 09:46 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-03 09:30 --------- d-----w c:\program files\CCleaner
2008-12-27 01:53 --------- d-----w c:\documents and settings\LWms\Application Data\OpenOffice.org2
2008-12-19 20:27 --------- d-----w c:\documents and settings\Z3N\Application Data\OpenOffice.org2
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-27 04:46 --------- d-----w c:\documents and settings\Z3N\Application Data\MySQL
2008-11-27 02:08 --------- d-----w c:\program files\MySQL
2008-11-27 01:07 --------- d-----w c:\program files\Java
2008-11-27 01:03 --------- d-----w c:\program files\NetBeans 6.1
2008-11-26 23:44 --------- d-----w c:\program files\Microsoft SQL Server
2008-11-26 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-26 23:39 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-11-26 23:35 --------- d-----w c:\program files\Common Files\Merge Modules
2008-11-26 23:34 --------- d-----w c:\program files\Microsoft.NET
2008-11-26 23:26 --------- d-----w c:\program files\Microsoft SDKs
2008-11-26 23:19 --------- d-----w c:\program files\Reference Assemblies
2008-11-26 23:19 --------- d-----w c:\program files\MSBuild
2008-11-16 05:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 05:40 21,419 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-11-16 05:40 --------- d-----w c:\program files\Linksys
2008-11-06 01:08 26,112 ----a-w c:\windows\WAVEMIX.DLL
2008-11-06 01:08 21,008 ----a-w c:\windows\CTL3D.DLL
2008-08-12 10:14 17,977 ----a-w c:\program files\Common Files\cycynazoq.com
2008-08-12 10:14 14,320 ----a-w c:\program files\Common Files\ruja.bin
2008-08-12 10:14 12,802 ----a-w c:\documents and settings\Z3N\Application Data\akygax.sys
2008-08-12 10:14 10,903 ----a-w c:\program files\Common Files\ijebej.reg
2007-12-23 21:31 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-07 08:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-09 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-05 1261336]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\LWms\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 61440]

c:\documents and settings\Z3N\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2008-03-25 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2008-01-09 6922240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\atimtag.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^BWms^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\BWms\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Z3N^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Z3N\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 05:48 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 c:\program files\Common Files\AOL\1156852569\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2006-05-10 14:52 249856 c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2002-10-08 13:03 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-06-15 18:15 366400 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 14:27 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156852569\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156852569\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\polboot.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Nexon\\MapleStory\\localhost.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7575:TCP"= 7575:TCP:*:Disabled:odinms
"8484:TCP"= 8484:TCP:*:Disabled:odinms
"8484:UDP"= 8484:UDP:*:Disabled:odinms
"7575:UDP"= 7575:UDP:*:Disabled:odinms
"8888:TCP"= 8888:TCP:*:Disabled:odinms
"8888:UDP"= 8888:UDP:*:Disabled:odinms

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-12 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-12 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-12 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-12 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Z3N\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Z3N\LOCALS~1\Temp\aswArKrn.sys [?]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
S3 serb1;serb1;\??\c:\documents and settings\Z3N\Desktop\maple hax\Serbio\Serbio\serbio.sys --> c:\documents and settings\Z3N\Desktop\maple hax\Serbio\Serbio\serbio.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f52be05-7f93-11db-8334-00e018999adc}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware\Antispyware.exe []

2009-01-03 c:\windows\Tasks\Antispyware Scheduled Scan.job
- c:\program files\Antispyware []

2009-01-03 c:\windows\Tasks\vgfctxai.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{fcca4463-8f92-4c20-b2c3-a003c358692e} - c:\windows\system32\pghwln.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
FF - ProfilePath - c:\documents and settings\Z3N\Application Data\Mozilla\Firefox\Profiles\hq7b0k5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://testudo.umd.edu/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 21:11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1520)
c:\program files\Funk Software\Funk Client\odLogin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
d:\program files\Wizet\Maple Story\npkcmsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-01-03 21:18:10 - machine was rebooted [Z3N]
ComboFix-quarantined-files.txt 2009-01-04 02:18:05

Pre-Run: 22,626,439,168 bytes free
Post-Run: 22,753,492,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

268 --- E O F --- 2008-12-18 12:06:26

#4 z3n

z3n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 04 January 2009 - 10:04 PM

Issue resolved; Please close thread.

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 05 January 2009 - 10:04 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users