Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans


  • Please log in to reply
7 replies to this topic

#1 Bob The Chainsaw

Bob The Chainsaw

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 January 2009 - 03:56 PM

Wow this is the third time this has happened, sooooo maybe I should look into that. But anyway, here's the DDS.

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Andrew\Application Data\cogad\cogad.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: {d5bf4552-94f1-42bd-f434-3604812c807d} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [cogad] "c:\documents and settings\andrew\application data\cogad\cogad.exe" 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: klryto.dll nomaot.dll ndqzql.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\6lj5sj3a.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-26 12:32 <DIR> --d----- C:\VundoFix Backups
2009-01-26 12:23 61,440 a------- c:\windows\system32\drivers\nicxbh.sys
2009-01-25 20:41 129,024 a------- c:\windows\system32\ndqzql.dll
2009-01-25 20:41 129,024 a------- c:\windows\system32\iqfnbfxk.dll
2009-01-25 19:37 129,024 a------- c:\windows\system32\nomaot.dll
2009-01-25 19:37 129,024 a------- c:\windows\system32\utqsmbfq.dll
2009-01-25 19:35 1,434,061 ---sh--- c:\windows\system32\afbhkppo.ini
2009-01-25 14:25 129,024 a------- c:\windows\system32\xgkilshg.dll
2009-01-25 14:25 129,024 a------- c:\windows\system32\klryto.dll
2009-01-25 14:24 120 ---sh--- c:\windows\system32\rkdroxky.ini
2009-01-25 14:19 93,420 a------- c:\windows\system32\drivers\25d47df9.sys
2009-01-25 14:18 <DIR> --d----- c:\docume~1\andrew\applic~1\cogad
2009-01-20 16:43 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-01-19 14:09 70,656 a------- c:\windows\ScUnin.exe
2009-01-19 14:09 34,807 a------- c:\windows\scunin.dat
2009-01-19 14:09 967 a------- c:\windows\ScUnin.pif
2009-01-18 19:31 <DIR> --d----- c:\program files\Starcraft
2009-01-09 17:59 <DIR> --d----- c:\program files\DivX
2009-01-08 17:08 <DIR> --d----- C:\ComboFix
2009-01-07 15:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-07 15:35 <DIR> --d----- c:\documents and settings\andrew\.SunDownloadManager
2008-12-30 20:17 <DIR> --d----- c:\program files\PlayOnline
2008-12-30 20:17 <DIR> --d----- c:\program files\common files\PlayOnline
2008-12-30 20:05 <DIR> --d----- C:\FFXI Install

==================== Find3M ====================

2009-01-26 12:23 1,632 a------- c:\program files\pfcri.txt
2009-01-10 11:38 2,692 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 21:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 21:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 21:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-03 19:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-06 11:37 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-06 11:37 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-06 11:37 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-06 11:37 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-06 11:37 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-06 11:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-06 11:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-06 11:33 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-11-06 11:33 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-11-06 11:33 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-11-06 11:33 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-11-06 11:33 684,032 a------- c:\windows\system32\DivX.dll
2008-11-06 11:33 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-07-01 18:20 23 a------- c:\documents and settings\andrew\jagex_runescape_preferences.dat

============= FINISH: 15:52:10.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:51 PM

Posted 30 January 2009 - 09:28 PM

hi,

third time this has happened, sooooo maybe I should look into that

You should because it dosnt have to happen. You need to change your computing habits.


We will get a download to use. Its called combofix. There is a guide you need to read first. It will explain what you need to do and know. Post the combofix log in your reply:

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#3 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 31 January 2009 - 10:35 AM

I did what you said, but combofix said it was running in "REDUCED FUNCTIONALITY MODE". I'm not sure if that's a problem. Anyway, here's the log.
ComboFix 09-01-21.04 - Andrew 2009-01-31 10:26:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.583 [GMT -5:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-30 13:06 . 2009-01-30 13:06 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-30 11:58 . 2009-01-30 15:46 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-30 11:52 . 2009-01-30 12:14 4,566 --a------ c:\windows\imsins.BAK
2009-01-30 11:46 . 2009-01-30 11:46 <DIR> d-------- c:\documents and settings\Andrew\Application Data\MSNInstaller
2009-01-28 17:54 . 2009-01-28 17:54 <DIR> d-------- c:\documents and settings\Carol\Application Data\Malwarebytes
2009-01-28 15:54 . 2009-01-28 15:54 135,476 --ahs---- c:\windows\system32\szyxci.dll
2009-01-27 19:19 . 2009-01-27 19:19 <DIR> d-------- c:\documents and settings\Carol\Application Data\Move Networks
2009-01-27 15:33 . 2009-01-28 18:09 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Twain
2009-01-26 12:23 . 2009-01-26 12:23 61,440 --a------ c:\windows\system32\drivers\nicxbh.sys
2009-01-25 20:41 . 2009-01-25 20:41 129,024 --a------ c:\windows\system32\ndqzql.dll
2009-01-25 20:41 . 2009-01-25 20:41 129,024 --a------ c:\windows\system32\iqfnbfxk.dll
2009-01-25 19:37 . 2009-01-25 19:37 129,024 --a------ c:\windows\system32\utqsmbfq.dll
2009-01-25 19:37 . 2009-01-25 19:37 129,024 --a------ c:\windows\system32\nomaot.dll
2009-01-25 14:25 . 2009-01-25 14:25 129,024 --a------ c:\windows\system32\xgkilshg.dll
2009-01-25 14:25 . 2009-01-25 14:25 129,024 --a------ c:\windows\system32\klryto.dll
2009-01-25 14:24 . 2009-01-25 14:24 120 ---hs---- c:\windows\system32\rkdroxky.ini
2009-01-25 14:19 . 2009-01-31 10:28 93,420 --a------ c:\windows\system32\drivers\25d47df9.sys
2009-01-25 14:18 . 2009-01-30 12:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\cogad
2009-01-20 17:00 . 2009-01-20 17:00 <DIR> d-------- c:\documents and settings\Andrew\Application Data\DivX
2009-01-20 16:43 . 2009-01-20 16:43 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-01-19 14:09 . 2009-01-19 14:10 70,656 --a------ c:\windows\ScUnin.exe
2009-01-19 14:09 . 2009-01-19 14:10 34,807 --a------ c:\windows\scunin.dat
2009-01-19 14:09 . 2009-01-19 14:10 967 --a------ c:\windows\ScUnin.pif
2009-01-18 19:31 . 2009-01-23 18:58 <DIR> d-------- c:\program files\Starcraft
2009-01-09 17:59 . 2009-01-09 18:00 <DIR> d-------- c:\program files\DivX
2009-01-07 15:38 . 2009-01-07 15:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 15:35 . 2009-01-07 15:36 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager
2008-12-30 20:17 . 2008-12-30 20:17 <DIR> d-------- c:\program files\PlayOnline
2008-12-30 20:17 . 2008-12-30 20:17 <DIR> d-------- c:\program files\Common Files\PlayOnline
2008-12-30 20:05 . 2008-12-30 20:09 <DIR> d-------- C:\FFXI Install
2008-12-25 18:46 . 2008-12-25 19:32 <DIR> d-------- c:\documents and settings\Amy\Application Data\U3
2008-12-25 09:57 . 2008-12-25 09:58 <DIR> d-------- c:\program files\iTunes
2008-12-25 09:57 . 2008-12-25 09:57 <DIR> d-------- c:\program files\iPod
2008-12-25 09:57 . 2008-12-25 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 09:56 . 2008-12-25 09:56 <DIR> d-------- c:\program files\QuickTime
2008-12-25 09:54 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-25 09:36 . 2008-12-25 09:36 <DIR> d-------- c:\documents and settings\Amy\Application Data\Apple Computer
2008-12-24 22:33 . 2008-12-24 22:33 <DIR> d-------- c:\windows\Cache
2008-12-24 17:32 . 2008-12-24 19:02 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-22 23:11 . 2008-12-22 23:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 23:11 . 2008-12-22 23:11 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-22 23:11 . 2008-12-22 23:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 23:11 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 23:11 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-22 12:45 . 2008-12-22 12:45 <DIR> d-------- c:\program files\Trend Micro
2008-12-22 12:45 . 2008-12-22 12:45 <DIR> d---s---- c:\documents and settings\Andrew\UserData
2008-12-16 16:44 . 2008-12-16 16:44 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-16 16:42 . 2008-12-16 16:43 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-10 19:33 . 2008-12-10 19:33 200,704 --a------ c:\windows\system32\dtu100.dll
2008-12-10 19:33 . 2008-12-10 19:33 86,016 --a------ c:\windows\system32\dpl100.dll
2008-12-08 21:28 . 2008-12-08 21:28 593,920 --a------ c:\windows\system32\dpuGUI11.dll
2008-12-08 21:28 . 2008-12-08 21:28 344,064 --a------ c:\windows\system32\dpus11.dll
2008-12-08 21:28 . 2008-12-08 21:28 294,912 --a------ c:\windows\system32\dpu11.dll
2008-12-08 21:28 . 2008-12-08 21:28 57,344 --a------ c:\windows\system32\dpv11.dll
2008-12-08 20:47 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-08 20:47 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-08 20:47 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-08 20:47 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-08 20:47 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-08 20:47 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-08 20:47 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 15:08 --------- d-----w c:\program files\Steam
2009-01-30 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 22:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-28 20:54 135,476 --sha-w c:\windows\system32\kedohugu.dll
2009-01-26 17:23 1,632 ----a-w c:\program files\pfcri.txt
2009-01-10 16:38 2,692 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-01-10 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:38 --------- d-----w c:\program files\Electronic Arts
2009-01-07 20:38 --------- d-----w c:\program files\Java
2008-12-25 14:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 14:40 --------- d-----w c:\program files\Apple Software Update
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-06 16:37 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-06 16:37 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-06 16:37 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-06 16:37 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-06 16:37 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-06 16:35 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-06 16:35 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-11-06 16:33 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-11-06 16:33 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-11-06 16:33 684,032 ----a-w c:\windows\system32\DivX.dll
2008-11-06 16:33 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-07-01 23:20 23 ----a-w c:\documents and settings\Andrew\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44aa5000-6cc5-4ab9-afae-d6d68e672628}]
2009-01-28 15:54 135476 --ahs---- c:\windows\system32\szyxci.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-09-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G G G G

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\nivedusa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\the ship\\ship.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source beta\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\rollercoastergy\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\source sdk base\\hl2.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrPack23 - c:\program files\VnrPack\VnrPack23.exe
HKCU-Run-miwk - c:\program files\InetGet2\stub109_4_0_4_0.exe


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\08zony13.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 10:27:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\25d47df9]
"ImagePath"="\SystemRoot\System32\drivers\25d47df9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1547161642-776561741-839522115-1006\Software\SecuROM\License information*]
"datasecu"=hex:e0,3f,8d,a6,82,71,0e,0e,fd,b6,53,d4,eb,cd,ce,6b,b3,b2,df,df,63,
93,34,b9,45,62,16,a4,21,68,6f,d2,53,c5,84,0e,e7,65,15,ad,c4,9a,23,36,1e,0b,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\klryto.dll
c:\windows\system32\nomaot.dll
c:\windows\system32\ndqzql.dll
c:\windows\system32\szyxci.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\klryto.dll
c:\windows\system32\nomaot.dll
c:\windows\system32\ndqzql.dll
c:\windows\system32\szyxci.dll
.
Completion time: 2009-01-31 10:31:33
ComboFix-quarantined-files.txt 2009-01-31 15:30:34

Pre-Run: 47,271,047,168 bytes free
Post-Run: 47,306,948,608 bytes free

216 --- E O F --- 2009-01-15 03:33:46

#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:51 PM

Posted 31 January 2009 - 08:49 PM

hi,

ok thanks for the info. we will use combofix. Dont forget to disable your AV and anti-malware before using combofix;

click Start, then Run and type in Notepad and click OK. Notepad will open.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\ndqzql.dll
c:\windows\system32\iqfnbfxk.dll
c:\windows\system32\utqsmbfq.dll
c:\windows\system32\nomaot.dll
c:\windows\system32\xgkilshg.dll
c:\windows\system32\klryto.dll
c:\windows\system32\rkdroxky.ini
c:\windows\system32\szyxci.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44aa5000-6cc5-4ab9-afae-d6d68e672628}]

Driver::
25d47df9.sys


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

after you finish with combofix, check Malwarebytes for updates and do a full system scan and post the MBAM log also. Like this:

* Start MBAM and click on the update tab. Then click on check For Updates
* select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?


#5 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 01 February 2009 - 12:18 PM

Here's the combofix log:ComboFix 09-01-31.03 - Andrew 2009-02-01 10:44:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.583 [GMT -5:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\iqfnbfxk.dll
c:\windows\system32\klryto.dll
c:\windows\system32\ndqzql.dll
c:\windows\system32\nomaot.dll
c:\windows\system32\rkdroxky.ini
c:\windows\system32\szyxci.dll
c:\windows\system32\utqsmbfq.dll
c:\windows\system32\xgkilshg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\iqfnbfxk.dll
c:\windows\system32\kedohugu.dll
c:\windows\system32\klryto.dll
c:\windows\system32\ndqzql.dll
c:\windows\system32\nomaot.dll
c:\windows\system32\rkdroxky.ini
c:\windows\system32\szyxci.dll
c:\windows\system32\utqsmbfq.dll
c:\windows\system32\xgkilshg.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-30 13:06 . 2009-01-30 13:06 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-30 11:58 . 2009-01-30 15:46 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-30 11:52 . 2009-01-30 12:14 4,566 --a------ c:\windows\imsins.BAK
2009-01-30 11:46 . 2009-01-30 11:46 <DIR> d-------- c:\documents and settings\Andrew\Application Data\MSNInstaller
2009-01-28 17:54 . 2009-01-28 17:54 <DIR> d-------- c:\documents and settings\Carol\Application Data\Malwarebytes
2009-01-27 19:19 . 2009-01-27 19:19 <DIR> d-------- c:\documents and settings\Carol\Application Data\Move Networks
2009-01-27 15:33 . 2009-01-28 18:09 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Twain
2009-01-26 12:23 . 2009-01-26 12:23 61,440 --a------ c:\windows\system32\drivers\nicxbh.sys
2009-01-25 14:19 . 2009-02-01 10:49 93,420 --a------ c:\windows\system32\drivers\25d47df9.sys
2009-01-25 14:18 . 2009-01-30 12:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\cogad
2009-01-20 17:00 . 2009-01-20 17:00 <DIR> d-------- c:\documents and settings\Andrew\Application Data\DivX
2009-01-20 16:43 . 2009-01-20 16:43 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-01-19 14:09 . 2009-01-19 14:10 70,656 --a------ c:\windows\ScUnin.exe
2009-01-19 14:09 . 2009-01-19 14:10 34,807 --a------ c:\windows\scunin.dat
2009-01-19 14:09 . 2009-01-19 14:10 967 --a------ c:\windows\ScUnin.pif
2009-01-18 19:31 . 2009-01-23 18:58 <DIR> d-------- c:\program files\Starcraft
2009-01-09 17:59 . 2009-01-09 18:00 <DIR> d-------- c:\program files\DivX
2009-01-07 15:38 . 2009-01-07 15:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 15:35 . 2009-01-07 15:36 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 15:49 --------- d-----w c:\program files\Steam
2009-01-30 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 22:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-26 17:23 1,632 ----a-w c:\program files\pfcri.txt
2009-01-10 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:38 --------- d-----w c:\program files\Electronic Arts
2009-01-07 20:38 --------- d-----w c:\program files\Java
2008-12-31 01:17 --------- d-----w c:\program files\PlayOnline
2008-12-31 01:17 --------- d-----w c:\program files\Common Files\PlayOnline
2008-12-26 00:32 --------- d-----w c:\documents and settings\Amy\Application Data\U3
2008-12-25 14:58 --------- d-----w c:\program files\iTunes
2008-12-25 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 14:57 --------- d-----w c:\program files\iPod
2008-12-25 14:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 14:56 --------- d-----w c:\program files\QuickTime
2008-12-25 14:40 --------- d-----w c:\program files\Apple Software Update
2008-12-25 14:36 --------- d-----w c:\documents and settings\Amy\Application Data\Apple Computer
2008-12-23 04:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-23 04:11 --------- d-----w c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-23 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 17:45 --------- d-----w c:\program files\Trend Micro
2008-12-16 21:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-04 00:53 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:53 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-07-01 23:20 23 ----a-w c:\documents and settings\Andrew\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_10.28.57.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2009-02-01 15:49:21 16,384 ----atw c:\windows\temp\Perflib_Perfdata_768.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-09-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\the ship\\ship.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source beta\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\rollercoastergy\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\source sdk base\\hl2.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\08zony13.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 10:49:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\25d47df9]
"ImagePath"="\SystemRoot\System32\drivers\25d47df9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1547161642-776561741-839522115-1006\Software\SecuROM\License information*]
"datasecu"=hex:e0,3f,8d,a6,82,71,0e,0e,fd,b6,53,d4,eb,cd,ce,6b,b3,b2,df,df,63,
93,34,b9,45,62,16,a4,21,68,6f,d2,53,c5,84,0e,e7,65,15,ad,c4,9a,23,36,1e,0b,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-01 10:54:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 15:54:16
ComboFix2.txt 2009-01-31 15:31:35

Pre-Run: 47,307,898,880 bytes free
Post-Run: 47,246,725,120 bytes free

182 --- E O F --- 2009-01-15 03:33:46

And here is the Malwarebytes log:
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 159829
Time elapsed: 1 hour(s), 18 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Andrew\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\iqfnbfxk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\klryto.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ndqzql.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nomaot.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\utqsmbfq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgkilshg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP289\A0039453.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP290\A0039462.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP290\A0039463.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP292\A0039567.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP295\A0040025.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041025.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDDD4D16-3E69-470A-B910-8D15A68FB913}\RP297\A0041026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:51 PM

Posted 01 February 2009 - 03:30 PM

hi,

thanks for the info. We will be using Combofix again.

Dont forget to disable your AV and anti-malware before using combofix;

click Start, then Run and type in Notepad and click OK. Notepad will open.
Copy/paste the text in the code box below into notepad:

Driver::
nicxbh.sys
25d47df9.sys
post the log

How Can I Reduce My Risk to Malware?


#7 Bob The Chainsaw

Bob The Chainsaw
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 01 February 2009 - 05:52 PM

Um, I'm not exactly sure what you wanted me to do with that notepad file, so I put it into combofix like the previous one. Sorry if I was misinstructed. I also disabled my firewall. Anyway, here's the combofix log:

ComboFix 09-02-01.01 - Andrew 2009-02-01 17:45:51.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.592 [GMT -5:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-30 13:06 . 2009-01-30 13:06 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-30 11:58 . 2009-01-30 15:46 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-30 11:52 . 2009-01-30 12:14 4,566 --a------ c:\windows\imsins.BAK
2009-01-30 11:46 . 2009-01-30 11:46 <DIR> d-------- c:\documents and settings\Andrew\Application Data\MSNInstaller
2009-01-28 17:54 . 2009-01-28 17:54 <DIR> d-------- c:\documents and settings\Carol\Application Data\Malwarebytes
2009-01-27 19:19 . 2009-01-27 19:19 <DIR> d-------- c:\documents and settings\Carol\Application Data\Move Networks
2009-01-27 15:33 . 2009-01-28 18:09 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Twain
2009-01-26 12:23 . 2009-01-26 12:23 61,440 --a------ c:\windows\system32\drivers\nicxbh.sys
2009-01-25 14:19 . 2009-02-01 17:48 93,420 --a------ c:\windows\system32\drivers\25d47df9.sys
2009-01-20 17:00 . 2009-01-20 17:00 <DIR> d-------- c:\documents and settings\Andrew\Application Data\DivX
2009-01-20 16:43 . 2009-01-20 16:43 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-01-19 14:09 . 2009-01-19 14:10 70,656 --a------ c:\windows\ScUnin.exe
2009-01-19 14:09 . 2009-01-19 14:10 34,807 --a------ c:\windows\scunin.dat
2009-01-19 14:09 . 2009-01-19 14:10 967 --a------ c:\windows\ScUnin.pif
2009-01-18 19:31 . 2009-01-23 18:58 <DIR> d-------- c:\program files\Starcraft
2009-01-09 17:59 . 2009-01-09 18:00 <DIR> d-------- c:\program files\DivX
2009-01-07 15:38 . 2009-01-07 15:38 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 15:35 . 2009-01-07 15:36 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 15:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-01 15:49 --------- d-----w c:\program files\Steam
2009-01-30 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 22:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-26 17:23 1,632 ----a-w c:\program files\pfcri.txt
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-10 16:38 2,692 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-01-10 16:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 16:38 --------- d-----w c:\program files\Electronic Arts
2009-01-07 20:38 --------- d-----w c:\program files\Java
2008-12-31 01:17 --------- d-----w c:\program files\PlayOnline
2008-12-31 01:17 --------- d-----w c:\program files\Common Files\PlayOnline
2008-12-26 00:32 --------- d-----w c:\documents and settings\Amy\Application Data\U3
2008-12-25 14:58 --------- d-----w c:\program files\iTunes
2008-12-25 14:58 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 14:57 --------- d-----w c:\program files\iPod
2008-12-25 14:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-25 14:56 --------- d-----w c:\program files\QuickTime
2008-12-25 14:40 --------- d-----w c:\program files\Apple Software Update
2008-12-25 14:36 --------- d-----w c:\documents and settings\Amy\Application Data\Apple Computer
2008-12-23 04:11 --------- d-----w c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-23 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 17:45 --------- d-----w c:\program files\Trend Micro
2008-12-16 21:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-11-06 16:37 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-06 16:37 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-06 16:37 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-06 16:37 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-06 16:37 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-06 16:35 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-06 16:35 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-11-06 16:33 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-11-06 16:33 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-11-06 16:33 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-11-06 16:33 684,032 ----a-w c:\windows\system32\DivX.dll
2008-11-06 16:33 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-07-01 23:20 23 ----a-w c:\documents and settings\Andrew\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_10.28.57.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2009-02-01 15:49:21 16,384 ----atw c:\windows\temp\Perflib_Perfdata_768.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-09-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\the ship\\ship.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\day of defeat source beta\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\rollercoastergy\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\dilandau_sama\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\ericesn\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebunnylord\\source sdk base\\hl2.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\08zony13.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 17:48:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\25d47df9]
"ImagePath"="\SystemRoot\System32\drivers\25d47df9.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1547161642-776561741-839522115-1006\Software\SecuROM\License information*]
"datasecu"=hex:e0,3f,8d,a6,82,71,0e,0e,fd,b6,53,d4,eb,cd,ce,6b,b3,b2,df,df,63,
93,34,b9,45,62,16,a4,21,68,6f,d2,53,c5,84,0e,e7,65,15,ad,c4,9a,23,36,1e,0b,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-01 17:50:25
ComboFix-quarantined-files.txt 2009-02-01 22:50:17
ComboFix2.txt 2009-02-01 15:54:20
ComboFix3.txt 2009-01-31 15:31:35

Pre-Run: 47,225,384,960 bytes free
Post-Run: 47,213,580,288 bytes free

169 --- E O F --- 2009-01-15 03:33:46

#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:51 PM

Posted 02 February 2009 - 04:50 PM

hi Bob The Chainsaw,

thanks for the info. When you run Combofix are you prompted to update your copy?
That script didnt work. lets do this:

click Start, then Run and type in Notepad and click OK. Notepad will open.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\drivers\nicxbh.sys
c:\windows\system32\drivers\25d47df9.sys
Driver::
nicxbh.sys
25d47df9.sys


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users