Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Spy.BZub.NIP


  • This topic is locked This topic is locked
10 replies to this topic

#1 norms

norms

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:10:49 AM

Posted 22 February 2009 - 01:56 PM

I keep getting this Trojan when I go to "Enable or Disable Add-Ons" (BHO's) in IE7. BitDefender picks up this Trojan and puts it in quarantine but it can not clean it. BitDefender shows that it is associated with the file C:\windows\system32\btrezx.dll as you can see in the HJT log. This file is assiciated with a BHO but I have the BHO disabled. Once BitDefender quarantines this Trojan, BitDefender won't pick it up again until I reboot the machine and go "Enable or Disable Add-Ons" again. I've tried to delete the file but you guesses it, it is being used by something and I can't delete it even in safe mode. I am new to HJT and I don't know if I can clean things up using HJT or if there is another way to delete this file and/or completely remove it from the BHO list?

Here is the HJT log.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:37 AM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {EA07401C-A409-4937-8FD8-13FE2AE3D856} - C:\WINDOWS\system32\btrezx.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228370744281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\..\{38ADF180-1CF8-4DF9-B7E4-F2D6EC1D2D4B}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{A337A358-5AD2-44D5-905E-12E481E48E35}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 23 February 2009 - 06:29 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 norms

norms
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:10:49 AM

Posted 23 February 2009 - 11:35 PM

Thanks miekiemoes for the reply. ComboFix didn't get rid of the Trojan but here is the log.



ComboFix 09-02-21.01 - Debra Simpson 2009-02-23 19:56:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1458 [GMT -8:00]
Running from: c:\documents and settings\Debra Simpson\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 19:52 . 2009-02-23 19:52 <DIR> d-------- C:\32788R22FWJFW
2009-02-22 18:22 . 2009-02-22 18:22 2,062,665 --a------ c:\temp\spywareguardsetup.exe
2009-02-16 21:20 . 2009-02-16 21:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 21:07 . 2009-02-16 21:07 <DIR> d-------- c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot
2009-02-16 21:04 . 2009-02-16 21:04 5,891,095 --a------ c:\temp\ComboFix.exe
2009-02-16 20:56 . 2009-02-16 20:56 812,344 --a------ c:\temp\HJTInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:58 81,984 ----a-w c:\windows\system32\bdod.bin
2009-02-23 07:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 07:02 --------- d-----w c:\program files\SpywareBlaster
2009-01-18 21:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2007-02-21 22:53 35,704 ----a-w c:\documents and settings\Debra Simpson\Application Data\GDIPFONTCACHEV1.DAT
2006-10-10 16:18 630,784 ----a-w c:\documents and settings\Debra Simpson\chatlnk.exe
2006-08-22 23:59 25,600 ----a-w c:\documents and settings\Debra Simpson\usbsermptxp.sys
2006-08-22 23:59 22,768 ----a-w c:\documents and settings\Debra Simpson\usbsermpt.sys
2006-12-23 19:43 32 --sha-w c:\windows\{3B192980-D741-4D76-9B09-4C785CCD4DBC}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{512AAF8C-A5CD-4109-863A-A8EB9E45AF29}.dat
2006-12-23 19:20 32 --sha-w c:\windows\{5FC05B7C-6BA4-4DF1-B30E-758E2E7E8C69}.dat
2006-12-23 20:00 32 --sha-w c:\windows\{794E926A-7722-4BB4-B53A-6326BDF3255F}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{7CE17017-2B9E-45DC-BB8D-7D3E2670ECC6}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{8FAEF955-2B33-4B52-8C91-033D51185508}.dat
2006-12-23 19:28 32 --sha-w c:\windows\{9C9B8273-76ED-489F-83B1-C18428A5E4BE}.dat
2006-12-23 19:48 32 --sha-w c:\windows\{B31DAEB5-1526-486D-A60F-3443CBC3CDC3}.dat
2006-12-23 19:18 32 --sha-w c:\windows\{B405961D-1617-457C-9FDA-C4F49046A682}.dat
2006-12-23 19:45 32 --sha-w c:\windows\{BF47DCDB-2E81-45E5-A69F-B0400ACD263E}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{D6CDC290-F1C6-4573-8C5E-22214E1C469D}.dat
2006-12-23 20:01 32 --sha-w c:\windows\{D9D0C0A5-D98F-4493-8F41-664335EB36DD}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{F14EA892-051A-4AB0-96B4-054390EEE72B}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{F8B7D089-CC5A-4923-902F-ABD425E9FBD5}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{0E13E05A-5C45-42AC-9E64-DDC8F3515B7A}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{0EE9822D-5D1A-4815-8290-4189A81E2952}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{15E0E579-7DC9-4049-B695-CCB24CFEA948}.dat
2006-12-23 19:48 32 --sha-w c:\windows\system32\{27B60A85-F65D-4D19-B5A7-D02154E847EE}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{31B69DF5-CCC6-4255-A694-CB8E91FC122D}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{3880741C-AE38-42BA-9918-8C5DBD45EE12}.dat
2006-12-23 19:18 32 --sha-w c:\windows\system32\{561CBB55-0C33-444B-A66E-C58EA744051D}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{633F3901-000D-444C-A00A-1639179F30D0}.dat
2006-12-23 19:28 32 --sha-w c:\windows\system32\{6A60A273-3D8A-4A7B-A07B-F974ECA61FC6}.dat
2006-12-23 20:01 32 --sha-w c:\windows\system32\{6F406115-EB4E-4E81-A915-DEF04B1AB78E}.dat
2006-12-23 19:45 32 --sha-w c:\windows\system32\{705AAB12-7B08-447C-9DAC-11D52E33BD68}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{88B11D86-5892-4B8B-BE70-16A278943AB0}.dat
2006-12-23 19:20 32 --sha-w c:\windows\system32\{90145914-536A-4864-B62B-32A3F82355E9}.dat
2006-12-23 20:00 32 --sha-w c:\windows\system32\{E95379E7-ED18-4268-A336-3B66B54D7822}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA07401C-A409-4937-8FD8-13FE2AE3D856}]
2005-05-31 13:10 95744 --a------ c:\windows\system32\btrezx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-07-06 393216]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-27 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-18 339968]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-11-07 368640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

c:\documents and settings\Debra Simpson\Start Menu\Programs\Startup\
BHODemon 2.0.lnk.disabled [2008-12-06 690]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-05-31 577597]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msupd_0812_upd020442.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 noittukv;noittukv;c:\windows\system32\drivers\noittukv.sys [2004-08-04 23424]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-04-17 200576]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-08-29 87936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HPQWMI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-02-17 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cpqset - c:\program files\HPQ\Default Settings\cpqset.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {38ADF180-1CF8-4DF9-B7E4-F2D6EC1D2D4B} = 192.168.1.1
TCP: {A337A358-5AD2-44D5-905E-12E481E48E35} = 192.168.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 19:58:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?9?4?9??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-23 20:00:47
ComboFix-quarantined-files.txt 2009-02-24 04:00:44

Pre-Run: 17,143,947,264 bytes free
Post-Run: 17,128,595,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
160

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 24 February 2009 - 05:14 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\noittukv.sys
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\windows\system32\btrezx.dll
Suspect::[8]
c:\windows\{BF47DCDB-2E81-45E5-A69F-B0400ACD263E}.dat
Folder::
c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot
Driver::
noittukv
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA07401C-A409-4937-8FD8-13FE2AE3D856}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 norms

norms
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:10:49 AM

Posted 24 February 2009 - 09:22 PM

YES, The Trojan appears to be gone. :thumbup2: But something funny happened after CF rans its scan and tried to reboot. I noticed it did not ask me to reboot and instead I was to allow CF to reboot the machine, which I did, but instead of rebooting the machine it turned it off instead so obviously, I had no other choice but to turn the machine back on. :)

I did submit the ZIP file to http://www.bleepingcomputer.com/submit-malware.php?channel=8

At any rate here is the new CF log:

ComboFix 09-02-24.02 - Debra Simpson 2009-02-24 17:21:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1495 [GMT -8:00]
Running from: c:\documents and settings\Debra Simpson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Debra Simpson\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\btrezx.dll
c:\windows\system32\drivers\noittukv.sys
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot
c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot\Log\2009 Feb 16 - 09_07_04 PM_250.log
c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot\rs.dat
c:\documents and settings\Debra Simpson\Application Data\MalwareRemovalBot\Settings\ScanResults.pie
c:\windows\system32\btrezx.dll
c:\windows\system32\drivers\noittukv.sys
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOITTUKV
-------\Service_noittukv


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-22 18:22 . 2009-02-22 18:22 2,062,665 --a------ c:\temp\spywareguardsetup.exe
2009-02-16 21:20 . 2009-02-16 21:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 21:04 . 2009-02-16 21:04 5,891,095 --a------ c:\temp\ComboFix.exe
2009-02-16 20:56 . 2009-02-16 20:56 812,344 --a------ c:\temp\HJTInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 07:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 07:02 --------- d-----w c:\program files\SpywareBlaster
2009-01-18 21:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2007-02-21 22:53 35,704 ----a-w c:\documents and settings\Debra Simpson\Application Data\GDIPFONTCACHEV1.DAT
2006-10-10 16:18 630,784 ----a-w c:\documents and settings\Debra Simpson\chatlnk.exe
2006-08-22 23:59 25,600 ----a-w c:\documents and settings\Debra Simpson\usbsermptxp.sys
2006-08-22 23:59 22,768 ----a-w c:\documents and settings\Debra Simpson\usbsermpt.sys
2006-12-23 19:43 32 --sha-w c:\windows\{3B192980-D741-4D76-9B09-4C785CCD4DBC}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{512AAF8C-A5CD-4109-863A-A8EB9E45AF29}.dat
2006-12-23 19:20 32 --sha-w c:\windows\{5FC05B7C-6BA4-4DF1-B30E-758E2E7E8C69}.dat
2006-12-23 20:00 32 --sha-w c:\windows\{794E926A-7722-4BB4-B53A-6326BDF3255F}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{7CE17017-2B9E-45DC-BB8D-7D3E2670ECC6}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{8FAEF955-2B33-4B52-8C91-033D51185508}.dat
2006-12-23 19:28 32 --sha-w c:\windows\{9C9B8273-76ED-489F-83B1-C18428A5E4BE}.dat
2006-12-23 19:48 32 --sha-w c:\windows\{B31DAEB5-1526-486D-A60F-3443CBC3CDC3}.dat
2006-12-23 19:18 32 --sha-w c:\windows\{B405961D-1617-457C-9FDA-C4F49046A682}.dat
2006-12-23 19:45 32 --sha-w c:\windows\{BF47DCDB-2E81-45E5-A69F-B0400ACD263E}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{D6CDC290-F1C6-4573-8C5E-22214E1C469D}.dat
2006-12-23 20:01 32 --sha-w c:\windows\{D9D0C0A5-D98F-4493-8F41-664335EB36DD}.dat
2006-12-23 19:43 32 --sha-w c:\windows\{F14EA892-051A-4AB0-96B4-054390EEE72B}.dat
2006-12-23 19:19 32 --sha-w c:\windows\{F8B7D089-CC5A-4923-902F-ABD425E9FBD5}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{0E13E05A-5C45-42AC-9E64-DDC8F3515B7A}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{0EE9822D-5D1A-4815-8290-4189A81E2952}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{15E0E579-7DC9-4049-B695-CCB24CFEA948}.dat
2006-12-23 19:48 32 --sha-w c:\windows\system32\{27B60A85-F65D-4D19-B5A7-D02154E847EE}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{31B69DF5-CCC6-4255-A694-CB8E91FC122D}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{3880741C-AE38-42BA-9918-8C5DBD45EE12}.dat
2006-12-23 19:18 32 --sha-w c:\windows\system32\{561CBB55-0C33-444B-A66E-C58EA744051D}.dat
2006-12-23 19:43 32 --sha-w c:\windows\system32\{633F3901-000D-444C-A00A-1639179F30D0}.dat
2006-12-23 19:28 32 --sha-w c:\windows\system32\{6A60A273-3D8A-4A7B-A07B-F974ECA61FC6}.dat
2006-12-23 20:01 32 --sha-w c:\windows\system32\{6F406115-EB4E-4E81-A915-DEF04B1AB78E}.dat
2006-12-23 19:45 32 --sha-w c:\windows\system32\{705AAB12-7B08-447C-9DAC-11D52E33BD68}.dat
2006-12-23 19:19 32 --sha-w c:\windows\system32\{88B11D86-5892-4B8B-BE70-16A278943AB0}.dat
2006-12-23 19:20 32 --sha-w c:\windows\system32\{90145914-536A-4864-B62B-32A3F82355E9}.dat
2006-12-23 20:00 32 --sha-w c:\windows\system32\{E95379E7-ED18-4268-A336-3B66B54D7822}.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_19.59.01.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-24 03:58:33 81,984 ----a-w c:\windows\system32\bdod.bin
+ 2009-02-25 01:24:33 81,984 ----a-w c:\windows\system32\bdod.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-07-06 393216]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-04-27 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-18 339968]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-11-07 368640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

c:\documents and settings\Debra Simpson\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - c:\program files\BHODemon 2\BHODemon.exe [2005-02-12 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-05-31 577597]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msupd_0812_upd020442.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-04-17 200576]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-08-29 87936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HPQWMI
*NewlyCreated* - NOITTUKV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {38ADF180-1CF8-4DF9-B7E4-F2D6EC1D2D4B} = 192.168.1.1
TCP: {A337A358-5AD2-44D5-905E-12E481E48E35} = 192.168.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 17:28:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2008\vsserv.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-02-24 17:31:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 01:31:32
ComboFix2.txt 2009-02-24 04:00:50

Pre-Run: 17,144,860,672 bytes free
Post-Run: 17,051,643,904 bytes free

172

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 25 February 2009 - 04:46 AM

Hi,

The sample you uploaded is one of the dat files present there. They appear to be all the same and may actually be deleted. They don't have any malicious code though, but I think they were created by malware you were dealing with in the past. In anyway, if you delete them or not, it doesnt make a difference since they don't do anything.
So if you want to delete them, navigate to and delete the following files:

c:\windows\{3B192980-D741-4D76-9B09-4C785CCD4DBC}.dat
c:\windows\{512AAF8C-A5CD-4109-863A-A8EB9E45AF29}.dat
c:\windows\{5FC05B7C-6BA4-4DF1-B30E-758E2E7E8C69}.dat
c:\windows\{794E926A-7722-4BB4-B53A-6326BDF3255F}.dat
c:\windows\{7CE17017-2B9E-45DC-BB8D-7D3E2670ECC6}.dat
c:\windows\{8FAEF955-2B33-4B52-8C91-033D51185508}.dat
c:\windows\{9C9B8273-76ED-489F-83B1-C18428A5E4BE}.dat
c:\windows\{B31DAEB5-1526-486D-A60F-3443CBC3CDC3}.dat
c:\windows\{B405961D-1617-457C-9FDA-C4F49046A682}.dat
c:\windows\{BF47DCDB-2E81-45E5-A69F-B0400ACD263E}.dat
c:\windows\{D6CDC290-F1C6-4573-8C5E-22214E1C469D}.dat
c:\windows\{D9D0C0A5-D98F-4493-8F41-664335EB36DD}.dat
c:\windows\{F14EA892-051A-4AB0-96B4-054390EEE72B}.dat
c:\windows\{F8B7D089-CC5A-4923-902F-ABD425E9FBD5}.dat
c:\windows\system32\{0E13E05A-5C45-42AC-9E64-DDC8F3515B7A}.dat
c:\windows\system32\{0EE9822D-5D1A-4815-8290-4189A81E2952}.dat
c:\windows\system32\{15E0E579-7DC9-4049-B695-CCB24CFEA948}.dat
c:\windows\system32\{27B60A85-F65D-4D19-B5A7-D02154E847EE}.dat
c:\windows\system32\{31B69DF5-CCC6-4255-A694-CB8E91FC122D}.dat
c:\windows\system32\{3880741C-AE38-42BA-9918-8C5DBD45EE12}.dat
c:\windows\system32\{561CBB55-0C33-444B-A66E-C58EA744051D}.dat
c:\windows\system32\{633F3901-000D-444C-A00A-1639179F30D0}.dat
c:\windows\system32\{6A60A273-3D8A-4A7B-A07B-F974ECA61FC6}.dat
c:\windows\system32\{6F406115-EB4E-4E81-A915-DEF04B1AB78E}.dat
c:\windows\system32\{705AAB12-7B08-447C-9DAC-11D52E33BD68}.dat
c:\windows\system32\{88B11D86-5892-4B8B-BE70-16A278943AB0}.dat
c:\windows\system32\{90145914-536A-4864-B62B-32A3F82355E9}.dat
c:\windows\system32\{E95379E7-ED18-4268-A336-3B66B54D7822}.dat

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

c:\documents and settings\Debra Simpson\chatlnk.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 norms

norms
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:10:49 AM

Posted 26 February 2009 - 12:10 AM

I wasn't sure how much of the scan results you wanted so I copied all of it.

File chatlnk.exe received on 02.26.2009 05:51:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 4/39 (10.26%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.26 -
AhnLab-V3 2009.2.26.0 2009.02.25 -
AntiVir 7.9.0.88 2009.02.25 -
Authentium 5.1.0.4 2009.02.25 -
Avast 4.8.1335.0 2009.02.25 -
AVG 8.0.0.237 2009.02.25 -
BitDefender 7.2 2009.02.26 -
CAT-QuickHeal 10.00 2009.02.26 TrojanBanker.Banker.aece
ClamAV 0.94.1 2009.02.25 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 -
eSafe 7.0.17.0 2009.02.25 Win32.Banker
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.25 -
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.26 -
Ikarus T3.1.1.45.0 2009.02.26 -
K7AntiVirus 7.10.647 2009.02.25 -
Kaspersky 7.0.0.125 2009.02.26 -
McAfee 5536 2009.02.25 -
McAfee+Artemis 5536 2009.02.25 -
Microsoft 1.4306 2009.02.26 -
NOD32 3890 2009.02.26 -
Norman 6.00.06 2009.02.25 -
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.25 -
Prevx1 V2 2009.02.26 -
Rising 21.18.30.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.25 -
Sophos 4.39.0 2009.02.26 -
Sunbelt 3.2.1858.2 2009.02.25 -
Symantec 10 2009.02.26 -
TheHacker 6.3.2.5.265 2009.02.25 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.0 2009.02.26 Trojan-Banker.Win32.Banker.aece
ViRobot 2009.2.26.1624 2009.02.26 Spyware.Banker.630784
VirusBuster 4.5.11.0 2009.02.25 -
Additional information
File size: 630784 bytes
MD5...: 456d1d05aeeef581453dcbcfca103f6d
SHA1..: dee7c7b4a8cccd9e2c4563716947057ba771e0d8
SHA256: 67ddf02f6dc362964a6437a7fc8837e4bbaf6e4221b30687d9d20cbb65a4168f
SHA512: 3d5805d4f93afb9500ff4b81a04e5c89821738f6c79e53c9a6c8fede7606361c
9489eca7459d7ef1bcff730d32826e1c922a37a4e21b3a1f3c201a7ae206a7e4
ssdeep: 12288:IZI2p/Txyt968BQYupYfEjNVeDDXv08Les6GwUYmz78NpT0VC6t/MmndWD
w48d:R2dT0686pQSEDDf0psr9GaVhkkdyw48

PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404f60
timedatestamp.....: 0x4332f23e (Thu Sep 22 18:04:46 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x444a 0x5000 6.05 1fdcf8d3e0c54504de05fea919f43ead
.rdata 0x6000 0x41c7 0x5000 6.21 a066e2917dee4ad93cc8c63fbc9a33d6
.data 0xb000 0x7c 0x1000 0.12 ba49ef3485a9921cf2368bd586c797b2
.rsrc 0xc000 0x8dde8 0x8e000 7.99 026e2dfb5b70870fa7d08cfe30e05f6e

( 4 imports )
> MSVCRT.dll: _onexit, __dllonexit, _controlfp, sprintf, strlen, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, memcpy, strstr, strrchr, memset, strchr, strncat, __3@YAXPAX@Z, strncmp, strcat, malloc, calloc, free, strcpy, __2@YAPAXI@Z
> KERNEL32.dll: GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, RaiseException, ExitProcess, GetStartupInfoA, GetModuleHandleA, GetCommandLineA, FindFirstFileA, FindNextFileA, FindClose, RemoveDirectoryA, GetModuleFileNameA, CreateMutexA, GetFileAttributesA, CreateProcessA, WaitForSingleObject, Sleep, SetThreadPriority, GetCurrentThread, GetCurrentProcess, DeleteFileA, CloseHandle, ReadFile, SetFilePointer, CreateFileA, CreateDirectoryA, GetTempFileNameA, GetTempPathA, WriteFile, GetLastError, LockResource, LoadResource, SizeofResource, FindResourceA, lstrlenA, MoveFileA, ResumeThread, SetPriorityClass
> USER32.dll: MessageBoxA, wsprintfA
> ADVAPI32.dll: RegOpenKeyExA, RegCloseKey, RegCreateKeyExA, RegEnumValueA, RegQueryValueExA, RegSetValueExA, RegEnumKeyExA

( 0 exports )

ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=456d1d05aeeef581453dcbcfca103f6d' target='_blank'>http://www.threatexpert.com/report.aspx?md5=456d1d05aeeef581453dcbcfca103f6d</a>

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 26 February 2009 - 02:29 AM

Hi,

I wasn't sure how much of the scan results you wanted so I copied all of it.

Yes, I wanted all of it as well :thumbup2:

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\documents and settings\Debra Simpson\chatlnk.exe

Select it and click ok:
Then click the Send File button below.

This will upload that sample for me as well, so I can have a look. Strange that none of the most common used scanners are detecting this one, while the smaller, rather unknown ones do.
In anyway, delete the c:\documents and settings\Debra Simpson\chatlnk.exe file after you have uploaded for me. :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 norms

norms
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington State
  • Local time:10:49 AM

Posted 27 February 2009 - 12:26 AM

Hi,

I uploaded the file that was in question and everything appears to be running great. I appreciate your help. :thumbup2:

Thanks,
norms

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 27 February 2009 - 05:25 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:49 PM

Posted 01 March 2009 - 12:49 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users