Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.BHO.H and Trojan.Agent removal


  • This topic is locked This topic is locked
10 replies to this topic

#1 rcvowell

rcvowell

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 12 February 2009 - 09:03 PM

I had a computer start to crash on me with internet lock ups, beyon slow performance and various other symptoms leading me in the direction of an infection of some type.

I saw some evidence of the MS Antispyware 2009 on it and started from there.

I downloaded Malwarebytes' Anti-Malware and updated it, ran it, and found a huge amounted of infected entries, over 80. It removed all but 8.

The last ones are tagged with vendor names : Trojan.BHO.H and Trojan.Agent

One file that is indicated as infected is named as "avifil3.dll" in the C:\WINDOWS\system32 directory.

__________________________________
DDS Log below
___________________________________

DDS (Ver_09-02-01.01) - NTFSx86
Run by PRME Log-In at 15:48:47.17 on Thu 02/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.635 [GMT -10:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Kristen Dening\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {cb6cb652-34be-43a2-8095-065d7bbc3e6e} - c:\windows\system32\avifil3.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kriste~1\applic~1\mozilla\firefox\profiles\qhb5ptb4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 zjpyebhu;zjpyebhu;c:\windows\system32\drivers\zjpyebhu.sys [2004-8-11 23424]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-12 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090212.038\NAVENG.SYS [2009-2-12 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090212.038\NAVEX15.SYS [2009-2-12 876112]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-2-11 1245064]

=============== Created Last 30 ================

2009-02-12 15:06 <DIR> --d----- C:\VundoFix Backups
2009-02-12 14:59 <DIR> --d----- c:\windows\pss
2009-02-12 14:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-12 14:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-12 14:01 <DIR> a-dshr-- C:\cmdcons
2009-02-12 08:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-11 17:50 <DIR> --d----- c:\docume~1\kriste~1\applic~1\Malwarebytes
2009-02-11 17:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-11 17:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-11 17:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:17 <DIR> --d----- C:\N360_BACKUP
2009-02-11 13:06 305 a------- c:\windows\system32\MRT.INI
2009-02-11 13:06 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-02-11 11:34 <DIR> --d----- c:\program files\Norton 360
2009-02-11 11:32 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-11 11:32 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-11 11:32 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-11 11:32 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-11 11:32 <DIR> --d----- c:\program files\Symantec
2009-01-27 16:20 <DIR> --d----- C:\669c85f42a001c3725a857bf19c381
2009-01-27 16:04 743,621 a------- c:\windows\system32\RPUpdates.zip
2009-01-27 15:55 45 a------- c:\windows\system32\RPVersion.ini
2009-01-27 15:51 86,016 -------- c:\windows\unvise32.exe
2009-01-27 15:51 <DIR> --d----- c:\program files\RegistryPatrol3.0
2009-01-23 09:17 96,768 a------- c:\windows\system32\avifil3.dll

==================== Find3M ====================

2008-12-12 07:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 01:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 15:49:24.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 13 February 2009 - 02:07 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 21 February 2009 - 06:32 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 24 February 2009 - 01:18 PM

Reopened. :thumbup2:

Please perform my instructions and post the Combofix log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rcvowell

rcvowell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 24 February 2009 - 05:42 PM

Here is the log from the Conbo Fix I just ran.

---------------------------

ComboFix 09-02-24.02 - PRME Log-In 2009-02-24 12:25:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.518 [GMT -10:00]
Running from: c:\documents and settings\Kristen Dening\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\avifil3.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-12 15:06 . 2009-02-12 15:06 <DIR> d-------- C:\VundoFix Backups
2009-02-12 14:47 . 2009-02-12 14:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-12 14:47 . 2009-02-12 15:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 08:34 . 2009-02-12 08:34 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-12 08:34 . 2009-02-12 08:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-11 19:15 . 2009-02-11 19:15 <DIR> d-------- c:\documents and settings\admin\Application Data\Symantec
2009-02-11 19:15 . 2009-02-11 19:15 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2009-02-11 17:50 . 2009-02-11 17:50 <DIR> d-------- c:\documents and settings\Kristen Dening\Application Data\Malwarebytes
2009-02-11 17:45 . 2009-02-11 19:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 17:45 . 2009-02-11 17:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 17:45 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:45 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-11 17:29 . 2009-02-11 17:29 <DIR> d-------- c:\documents and settings\admin
2009-02-11 16:40 . 2009-02-11 16:40 <DIR> d-------- c:\documents and settings\Guest\Application Data\Symantec
2009-02-11 13:17 . 2009-02-11 13:17 <DIR> d-------- C:\N360_BACKUP
2009-02-11 13:06 . 2009-02-11 13:06 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-02-11 13:06 . 2009-02-11 13:06 305 --a------ c:\windows\system32\MRT.INI
2009-02-11 11:34 . 2009-02-11 11:34 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-11 11:34 . 2009-02-12 13:53 <DIR> d-------- c:\program files\Norton 360
2009-02-11 11:32 . 2009-02-12 08:36 <DIR> d-------- c:\program files\Symantec
2009-02-11 11:32 . 2009-02-12 08:36 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-11 11:32 . 2009-02-12 08:36 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-11 11:32 . 2009-02-12 08:36 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-11 11:32 . 2009-02-12 08:36 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-29 09:11 . 2009-01-29 09:11 <DIR> dr------- c:\documents and settings\Guest\Application Data\Brother
2009-01-27 16:20 . 2009-01-27 16:20 <DIR> d-------- C:\669c85f42a001c3725a857bf19c381
2009-01-27 16:04 . 2009-01-27 16:04 743,621 --a------ c:\windows\system32\RPUpdates.zip
2009-01-27 15:55 . 2009-01-27 16:07 45 --a------ c:\windows\system32\RPVersion.ini
2009-01-27 15:51 . 2009-01-27 16:19 <DIR> d-------- c:\program files\RegistryPatrol3.0
2009-01-27 15:51 . 1999-12-17 22:43 86,016 --------- c:\windows\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 22:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-24 18:01 --------- d-----w c:\documents and settings\Kristen Dening\Application Data\AdobeUM
2009-02-13 00:22 --------- d-----w c:\program files\Google
2009-02-12 18:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-11 21:21 --------- d-----w c:\program files\McAfee
2009-02-11 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-28 18:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-12 17:33 3,060,224 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2006-08-03 20:24 60,526 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-08-03 20:24 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-08-03 20:24 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB6CB652-34BE-43A2-8095-065D7BBC3E6E}]
2004-08-04 01:00 96768 --a------ c:\windows\system32\avifil3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-14 196608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-06 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-27 271672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2007-11-19 1015808]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-13 339968]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-14 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

R0 zjpyebhu;zjpyebhu;c:\windows\system32\drivers\zjpyebhu.sys [2004-08-11 23424]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB18 [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-12 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]

2008-03-08 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (KRISTEN-Kristen Dening).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-02-20 c:\windows\Tasks\PR&ME 1167964781.job
- c:\program files\Intuit\QuickBooks 2006\AutoBackupEXE.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Kristen Dening\Application Data\Mozilla\Firefox\Profiles\qhb5ptb4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 12:30:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dumprep.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-24 12:32:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 22:32:19
ComboFix2.txt 2009-02-13 00:09:34

Pre-Run: 137,086,025,728 bytes free
Post-Run: 137,455,087,616 bytes free

195 --- E O F --- 2009-02-11 23:06:49

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 24 February 2009 - 05:56 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\zjpyebhu.sys
c:\windows\system32\avifil3.dll
Driver::
zjpyebhu
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB6CB652-34BE-43A2-8095-065D7BBC3E6E}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rcvowell

rcvowell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 24 February 2009 - 06:48 PM

I have attached the log, I was getting an error about post size being to large when I copied it into the post directly.

Attached Files



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 24 February 2009 - 07:06 PM

I see there was a Windows update in a meanwhile which explains why the log is so long. :thumbup2:
Combofix enables Windows updates again, this in case if it was disabled by malware or by you. Windows updates should be enabled anyway, so it can download and install latest patches to prevent future malware.

Anyway, your log looks clean again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rcvowell

rcvowell
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 24 February 2009 - 08:29 PM

Thanks much!!!!!! I ran a Malwarebytes quick scan after removing combofix and it came up clean, no bugs found.

:) :step4: :thumbup2:

Scratch you Malware Killer Dogs ears for me and thanks again!

Ryan

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 24 February 2009 - 08:35 PM

Scratch you Malware Killer Dogs ears for me and thanks again!

Will do :thumbup2:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:37 PM

Posted 01 March 2009 - 12:47 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users