Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus associated with onlinenotify and antivirus-xp-pro2009


  • This topic is locked This topic is locked
24 replies to this topic

#1 Bigbhav

Bigbhav

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 22 February 2009 - 02:55 PM

I have another computer that has been infected with a virus that tries to connect online to a site with a domain "onlinenotify".
It has also tried to go to domain "antivirus-xp-pro2009"

I'm about to put the Combo-Fix file and run it, but I would like to start a thread first.

thanks,
Bhavesh

BC AdBot (Login to Remove)

 


#2 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 22 February 2009 - 07:16 PM

I ran combofix and here are the results from the log.

ComboFix 09-02-21.01 - Administrator 2009-02-22 17:41:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.789 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll
c:\program files\INSTALL.LOG
c:\windows\etc\services.exe
c:\windows\nt\nrcs.exe
c:\windows\system\svchost.exe
c:\windows\system32\9.tmp
c:\windows\system32\abhhmr.dll
c:\windows\system32\acluprfp.dll
c:\windows\system32\akovowhu.dll
c:\windows\system32\apxtxhfd.dll
c:\windows\system32\aqfmfgof.dll
c:\windows\system32\aumfltej.dll
c:\windows\system32\aybufe.dll
c:\windows\system32\begygj.dll
c:\windows\system32\bmhgxpax.dll
c:\windows\system32\buxttf.dll
c:\windows\system32\cfgykbiv.dll
c:\windows\system32\ckdxxfuu.dll
c:\windows\system32\crypts.dll
c:\windows\system32\csjyqsvy.dll
c:\windows\system32\diandn.dll
c:\windows\system32\drivers\UAClnktaspm.sys
c:\windows\system32\dtxtjuwy.dll
c:\windows\system32\ejhfjbmg.dll
c:\windows\system32\epdfijtk.dll
c:\windows\system32\erfadriv.dll
c:\windows\system32\evkxjixd.dll
c:\windows\system32\fatzhd.dll
c:\windows\system32\fdjeqnxh.dll
c:\windows\system32\fgrnanax.dll
c:\windows\system32\firewall.exe
c:\windows\system32\fmfkseue.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\fszldl.dll
c:\windows\system32\ghwohq.dll
c:\windows\system32\godvmjkg.dll
c:\windows\system32\gqyspw.dll
c:\windows\system32\gsxwyu.dll
c:\windows\system32\gyuexhoq.dll
c:\windows\system32\hchoobgs.dll
c:\windows\system32\hgjedgjp.dll
c:\windows\system32\hphmbitd.dll
c:\windows\system32\hs78344kjkfd.dll
c:\windows\system32\hybrdqog.dll
c:\windows\system32\ideusvol.dll
c:\windows\system32\ihmmibbx.dll
c:\windows\system32\init32.exe
c:\windows\system32\iovjotxc.dll
c:\windows\system32\iveetxla.dll
c:\windows\system32\jdlhes.dll
c:\windows\system32\jyblil.dll
c:\windows\system32\kqxuyb.dll
c:\windows\system32\ksmuyrcl.dll
c:\windows\system32\kwljumbm.dll
c:\windows\system32\kxxarj.dll
c:\windows\system32\kyvchvjf.dll
c:\windows\system32\leyascdt.dll
c:\windows\system32\lssas.exe
c:\windows\system32\lxqnqs.dll
c:\windows\system32\mcnqvsxl.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdm.exe
c:\windows\system32\mdwnoxqi.dll
c:\windows\system32\mhiypq.dll
c:\windows\system32\mkewhjxb.dll
c:\windows\system32\mmsvc32.exe
c:\windows\system32\munpoewh.dll
c:\windows\system32\nbuyfs.dll
c:\windows\system32\nnnmkkIY.dll.vir
c:\windows\system32\ntdll64.exe
c:\windows\system32\parad.raw.exe
c:\windows\system32\pelltq.dll
c:\windows\system32\pgdglf.dll
c:\windows\system32\przimp.dll
c:\windows\system32\ptxkcfhi.dll
c:\windows\system32\qbvydh.dll
c:\windows\system32\qlpmoy.dll
c:\windows\system32\racunhrq.dll
c:\windows\system32\rcdiyb.dll
c:\windows\system32\rilgpd.dll
c:\windows\system32\rluqvt.dll
c:\windows\system32\rmwbxlsi.dll
c:\windows\system32\rqevxuid.dll
c:\windows\system32\sbelbpph.dll
c:\windows\system32\spools.exe
c:\windows\system32\ssuhkwxm.dll
c:\windows\system32\svcp.csv
c:\windows\system32\tihbvj.dll
c:\windows\system32\txadnead.dll
c:\windows\system32\txliwa.dll
c:\windows\system32\UACavbosiew.log
c:\windows\system32\UACbftpuyxu.log
c:\windows\system32\UACfolwxjur.dll
c:\windows\system32\UACfucoivib.dll
c:\windows\system32\UACntypeoob.dll
c:\windows\system32\UACrqxrsxew.log
c:\windows\system32\UACwvbqhtfj.dat
c:\windows\system32\UACymexuxnm.dll
c:\windows\system32\udpsxw.dll
c:\windows\system32\ueprlj.dll
c:\windows\system32\ulmngd.dll
c:\windows\system32\uniq.tll
c:\windows\system32\vbpmzt.dll
c:\windows\system32\vovvkh.dll
c:\windows\system32\vpeqbb.dll
c:\windows\system32\vwexdf.dll
c:\windows\system32\warning.gif
c:\windows\system32\wdwbslrd.dll
c:\windows\system32\wewggb.dll
c:\windows\system32\wgareg.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winsub.xml
c:\windows\system32\wlvhhh.dll
c:\windows\system32\wqddww.dll
c:\windows\system32\xcwwrb.dll
c:\windows\system32\xhbumrnv.dll
c:\windows\system32\xpraesmt.dll
c:\windows\system32\xqodmibb.dll
c:\windows\system32\ybdzkt.dll
c:\windows\system32\ycujtn.dll
c:\windows\system32\YIkkmnnn.ini
c:\windows\system32\YIkkmnnn.ini2
c:\windows\system32\ymwiraqn.dll
c:\windows\system32\yuckcvvf.dll
c:\windows\system32\zbrqbv.dll
c:\windows\system32\zhobtu.dll
c:\windows\system32\zlbw.dll
c:\windows\system32\zwmtkv.dll
c:\windows\wcvs.exe
c:\windows\winsock\csrss.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NSMS
-------\Legacy_NTRCS
-------\Legacy_PROTECTEDCONTENTSVC
-------\Legacy_WCVS
-------\Legacy_WGAREG
-------\Legacy_WINSCK
-------\Service_nsms
-------\Service_ntrcs
-------\Service_wcvs
-------\Service_wgareg


((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 09:36 . 2009-02-22 17:51 100,590 --a------ c:\windows\system32\drivers\7afe903.sys
2009-02-22 09:36 . 2009-02-22 09:36 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-22 09:35 . 2009-02-22 09:35 81,920 --a------ C:\itamcndf.exe
2009-02-22 09:35 . 2009-02-22 09:35 68,608 --a------ c:\windows\system32\iukmvpio.dll
2009-02-22 09:35 . 2009-02-22 09:35 39,936 --a------ c:\windows\Dleweyabe.dll
2009-02-22 09:35 . 2009-02-22 09:35 39,936 --a------ C:\cwxwwgtl.exe
2009-02-22 09:35 . 2009-02-22 09:35 27,136 --a------ C:\pfkik.exe
2009-02-22 09:35 . 2009-02-22 09:35 705 --a------ C:\desae.exe
2009-02-22 09:35 . 2009-02-22 09:35 2 --a------ C:\-1742942115
2009-02-21 20:12 . 2009-02-21 20:13 1,619,907 --ahs---- c:\windows\system32\alxteevi.ini
2009-02-21 08:09 . 2009-02-21 15:35 1,619,915 ---hs---- c:\windows\system32\ombnypxw.ini
2009-02-20 21:24 . 2009-02-20 21:25 1,619,906 ---hs---- c:\windows\system32\sgypmyil.ini
2009-02-20 08:11 . 2009-02-20 08:11 1,601,393 ---hs---- c:\windows\system32\lhbxhvem.ini
2009-02-19 07:58 . 2009-02-20 08:09 1,601,393 ---hs---- c:\windows\system32\phjxpeek.ini
2009-02-18 07:26 . 2009-02-19 07:58 1,595,386 ---hs---- c:\windows\system32\xrrvxpej.ini
2009-02-17 11:51 . 2009-02-17 11:51 1,585,541 ---hs---- c:\windows\system32\xqlkdfqe.ini
2009-02-16 19:36 . 2009-02-16 19:37 1,682,758 ---hs---- c:\windows\system32\qrhnucar.ini
2009-02-16 07:37 . 2009-02-16 07:38 1,681,873 ---hs---- c:\windows\system32\mxljumxa.ini
2009-02-15 08:49 . 2009-02-15 08:49 1,676,256 ---hs---- c:\windows\system32\onajlbgs.ini
2009-02-14 20:49 . 2009-02-14 20:49 1,676,256 ---hs---- c:\windows\system32\ougssfex.ini
2009-02-14 08:47 . 2009-02-14 08:47 1,676,256 ---hs---- c:\windows\system32\itxmdtci.ini
2009-02-13 17:03 . 2009-02-13 17:03 1,676,256 ---hs---- c:\windows\system32\pqhotjjk.ini
2009-02-12 12:39 . 2009-02-13 12:40 1,676,256 ---hs---- c:\windows\system32\rrlapxnb.ini
2009-02-11 09:55 . 2009-02-12 09:56 1,657,107 ---hs---- c:\windows\system32\logflcmm.ini
2009-02-10 08:53 . 2009-02-11 09:55 1,619,872 ---hs---- c:\windows\system32\yrtbuqfu.ini
2009-02-09 07:49 . 2009-02-10 08:53 1,612,595 --ahs---- c:\windows\system32\bawvfnkk.ini
2009-02-06 17:16 . 2009-02-09 07:49 1,598,939 ---hs---- c:\windows\system32\iekldsok.ini
2009-02-05 09:42 . 2009-02-06 17:14 1,589,229 ---hs---- c:\windows\system32\ksnqwboo.ini
2009-02-04 09:38 . 2009-02-05 09:39 1,583,883 ---hs---- c:\windows\system32\mrgnkjhd.ini
2009-02-03 09:38 . 2009-02-03 09:38 1,542,434 ---hs---- c:\windows\system32\irbtyoao.ini
2009-02-02 17:46 . 2009-02-02 17:46 1,527,548 --ahs---- c:\windows\system32\cxnmlpyu.ini
2009-02-01 09:35 . 2009-02-01 09:35 1,483,060 ---hs---- c:\windows\system32\nmlcoctb.ini
2009-01-31 09:33 . 2009-02-01 09:34 1,483,060 ---hs---- c:\windows\system32\qmcahjgv.ini
2009-01-29 19:38 . 2009-01-31 09:33 1,483,060 ---hs---- c:\windows\system32\jmsqgqpm.ini
2009-01-28 19:33 . 2009-01-28 19:34 1,529,507 ---hs---- c:\windows\system32\pfrpulca.ini
2009-01-27 19:33 . 2009-01-27 19:33 1,527,574 ---hs---- c:\windows\system32\qpvtdyjl.ini
2009-01-26 19:33 . 2009-01-26 19:34 1,525,122 ---hs---- c:\windows\system32\wtlspejc.ini
2009-01-25 19:33 . 2009-01-25 19:33 1,434,061 ---hs---- c:\windows\system32\vhcvtpsp.ini
2009-01-24 19:32 . 2009-01-24 19:32 1,434,061 ---hs---- c:\windows\system32\lxsvqncm.ini
2009-01-23 19:34 . 2009-01-23 19:34 1,434,061 ---hs---- c:\windows\system32\mrusdlcc.ini
2009-01-22 19:35 . 2009-01-22 19:35 1,434,061 ---hs---- c:\windows\system32\vjmhicee.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 18:24 --------- d-----w c:\program files\Agent
2009-02-21 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-14 01:00 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-27 16:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Hzofewor"="c:\windows\Dleweyabe.dll" [2009-02-22 39936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
VPN Dialer (OnStartup).lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED.exe [2008-03-29 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ycujtn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk
backup=c:\windows\pss\VPN Dialer (OnStartup).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BellSouthAlertManager.exe]
--a------ 2007-01-28 11:14 2061816 c:\program files\BellSouth\AM\BellSouthAlertManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft ® Windows Network Security Management Service]
--a------ 2006-08-16 19:10 24665 c:\windows\system32\1C.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2005-08-31 13:14 1277952 c:\program files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ntrcs"=2 (0x2)
"WIN32SL"=2 (0x2)
"wgareg"=2 (0x2)
"wcvs"=2 (0x2)
"UMWdf"=2 (0x2)
"RioMSC"=2 (0x2)
"nsms"=2 (0x2)
"NMSSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"CVPND"=2 (0x2)
"cpqWebDmi"=2 (0x2)
"cpqdmi"=2 (0x2)
"CpqDfwWebAgent"=2 (0x2)
"CPQALERT"=2 (0x2)
"AClient"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusdisablenotify"=dword:00000001
"antivirusoverride"=dword:00000001
"firewalldisableoverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Windows\\system32\\1C.tmp"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2006-04-18 54222]
R2 CVPNDRV;Cisco Systems Inc. IPSec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2003-04-15 267333]
S0 NeroCdNt;NeroCdNt;c:\windows\system32\drivers\NEROCDNT.SYS [2006-07-01 16895]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-04-20 23856]
S4 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\CPQDFWAG.EXE [2006-04-18 212992]
S4 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2006-04-18 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7072c0c2-80cd-11db-97bd-000bcd0a4caf}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs78344kjkfd.dll
HKLM-Run-Microsoft ® Windows Vista/NT Runtime Compatibility Service - c:\windows\NT\nrcs.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hs78344kjkfd.dll
MSConfigStartUp-NT Runtime Compatibility Service - c:\windows\NT\nrcs.exe
MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe
MSConfigStartUp-Windows Certificate Verification Service - c:\windows\wcvs.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
mStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 17:50:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\7afe903]
"ImagePath"="\SystemRoot\System32\drivers\7afe903.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-1157166300-1904607352-3529363498-500\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-22 17:55:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-22 23:54:50

Pre-Run: 17,145,397,248 bytes free
Post-Run: 17,148,526,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

349 --- E O F --- 2008-09-10 08:00:53

Attached Files

  • Attached File  log.txt   17.66KB   1 downloads

Edited by Bigbhav, 22 February 2009 - 07:16 PM.


#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 23 February 2009 - 06:44 AM

Hi,

What a mess...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\System32\drivers\7afe903.sys
c:\windows\system32\1C.tmp
c:\windows\Dleweyabe.dll
c:\windows\system32\uacinit.dll
C:\itamcndf.exe
c:\windows\system32\iukmvpio.dll
C:\cwxwwgtl.exe
C:\pfkik.exe
C:\desae.exe
C:\-1742942115
c:\windows\system32\alxteevi.ini
c:\windows\system32\ombnypxw.ini
c:\windows\system32\sgypmyil.ini
c:\windows\system32\lhbxhvem.ini
c:\windows\system32\phjxpeek.ini
c:\windows\system32\xrrvxpej.ini
c:\windows\system32\xqlkdfqe.ini
c:\windows\system32\qrhnucar.ini
c:\windows\system32\mxljumxa.ini
c:\windows\system32\onajlbgs.ini
c:\windows\system32\ougssfex.ini
c:\windows\system32\itxmdtci.ini
c:\windows\system32\pqhotjjk.ini
c:\windows\system32\rrlapxnb.ini
c:\windows\system32\logflcmm.ini
c:\windows\system32\yrtbuqfu.ini
c:\windows\system32\bawvfnkk.ini
c:\windows\system32\iekldsok.ini
c:\windows\system32\ksnqwboo.ini
c:\windows\system32\mrgnkjhd.ini
c:\windows\system32\irbtyoao.ini
c:\windows\system32\cxnmlpyu.ini
c:\windows\system32\nmlcoctb.ini
c:\windows\system32\qmcahjgv.ini
c:\windows\system32\jmsqgqpm.ini
c:\windows\system32\pfrpulca.ini
c:\windows\system32\qpvtdyjl.ini
c:\windows\system32\wtlspejc.ini
c:\windows\system32\vhcvtpsp.ini
c:\windows\system32\lxsvqncm.ini
c:\windows\system32\mrusdlcc.ini
c:\windows\system32\vjmhicee.ini
Dirlook::
c:\program files\Agent
Driver::
7afe903
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hzofewor"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Network Security Management Service]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ntrcs"=-
"wgareg"=-
"wcvs"=-
"nsms"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusdisablenotify"=dword:00000000
"antivirusoverride"=dword:00000000
"firewalldisableoverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Windows\\system32\\1C.tmp"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way... Is there any reason why you don't have an Antivirus installed?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 23 February 2009 - 08:46 AM

Yup - it's pretty bad.
Are there any shareware options out there for antivirus or should i just buy one? I'm just a cheap bastard.

Thanks in advance...

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 23 February 2009 - 08:50 AM

Are there any shareware options out there for antivirus or should i just buy one? I'm just a cheap bastard.

There are so many free ones as well.
Look in my signature below under Antivirus for the ones I recommend. For example Avira is a great free one.
Don't install Avira now, proceed with my instructions first.
I'll give instructions afterwards to install Avira, how to run it and post the log. But that's for later.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 23 February 2009 - 07:03 PM

log attached

Attached Files

  • Attached File  log.txt   23.39KB   10 downloads


#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 23 February 2009 - 07:23 PM

Hi,

Let's give this one more try... just a leftover..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\okininozumah.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cwibukigatekud"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 23 February 2009 - 09:39 PM

log attached

Attached Files

  • Attached File  log.txt   15.7KB   7 downloads


#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 24 February 2009 - 05:03 AM

Hi,

We have to give this another run again.
A whole list of new files are present there again. It could be because, during the previous run, the malware was still active and downloaded the others in a meanwhile.
The good thing is, the malware is not active anymore, so I really hope that no new files will generate in a meanwhile. Maybe some will appear afterwards again, because Combofix didn't show them all previously, but no new ones should be generated.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\hfiqoakw.dll
c:\windows\system32\qmdamphx.dll
c:\windows\system32\gavmjs.dll
c:\windows\system32\jtdxxo.dll
c:\windows\system32\iiosdfdp.dll
c:\windows\system32\tcoqtxbe.dll
c:\windows\system32\gqwkgq.dll
c:\windows\system32\ujhqexty.dll
c:\windows\system32\hnguitfc.dll
c:\windows\system32\fmzjow.dll
c:\windows\system32\lsykxxvn.dll
c:\windows\system32\gvalpv.dll
c:\windows\system32\tjrjykjd.dll
c:\windows\system32\sppfvxnb.dll
c:\windows\system32\ctsjbw.dll
c:\windows\system32\mfdjktui.dll
c:\windows\system32\tjwstmxx.dll
c:\windows\system32\qjwhkn.dll
c:\windows\system32\yxupvwxr.dll
c:\windows\system32\jpwpwv.dll
c:\windows\system32\ijfufsmg.dll
c:\windows\system32\dsfwhrjg.dll
c:\windows\system32\zwhooa.dll
c:\windows\system32\weghtttx.dll
c:\windows\system32\yqecddlc.dll
c:\windows\system32\gswnff.dll
c:\windows\system32\jhbdvtub.dll
c:\windows\system32\jnstbyoi.dll
c:\windows\system32\awonwa.dll
c:\windows\system32\jnjbvuwv.dll
c:\windows\system32\gadeso.dll
c:\windows\system32\ocraxksl.dll
c:\windows\system32\nyuqqo.dll
c:\windows\system32\wopekgmj.dll
c:\windows\system32\odjrbv.dll
c:\windows\system32\oueuff.dll
c:\windows\system32\bgnksgvi.dll
c:\windows\system32\klxkuscx.dll
c:\windows\system32\izmlbh.dll
c:\windows\system32\fxtaxsbs.dll
c:\windows\system32\bqpsoz.dll
c:\windows\system32\ffrxgvoo.dll
c:\windows\system32\ybqwcw.dll
c:\windows\system32\huhsajft.dll
c:\windows\system32\kakqgllh.dll
c:\windows\system32\hncetg.dll
c:\windows\system32\thwelh.dll
c:\windows\system32\fticydxg.dll
c:\windows\system32\ntusqksq.dll
c:\windows\system32\riyxkvfi.dll
c:\windows\system32\onysta.dll
c:\windows\system32\elvcikex.dll
c:\windows\system32\theewxur.dll
c:\windows\system32\rmxxng.dll
c:\windows\system32\nqyggrhl.dll
c:\windows\system32\lkjjbr.dll
c:\windows\system32\tboxrd.dll
c:\windows\system32\bxovyuvo.dll
c:\windows\system32\znllic.dll
c:\windows\system32\ldiuxutm.dll
c:\windows\system32\vujrkegc.dll
c:\windows\system32\ngjbrrqc.dll
c:\windows\system32\imotxf.dll
c:\windows\system32\wcrhsout.dll
c:\windows\system32\pyhxob.dll
c:\windows\system32\sjweitai.dll
c:\windows\system32\onopju.dll
c:\windows\system32\yxrgflvp.dll
c:\windows\system32\vtvdogqk.dll
c:\windows\system32\mhtguh.dll
c:\windows\system32\wbdckbaj.dll
c:\windows\system32\msciak.dll
c:\windows\system32\syuocdyn.dll
c:\windows\system32\dhgrup.dll
c:\windows\system32\qebmbuin.dll
c:\windows\system32\mlmtyh.dll
c:\windows\system32\xiprpe.dll
c:\windows\system32\nsvuddtr.dll
c:\windows\system32\vovhugam.dll
c:\windows\system32\thwiaw.dll
c:\windows\system32\jksqgmar.dll
c:\windows\system32\cajnck.dll
c:\windows\system32\pjxuha.dll
c:\windows\system32\maghmifp.dll
c:\windows\system32\boktrjps.dll
c:\windows\system32\loqpwhlg.dll
c:\windows\system32\fhfzsr.dll
c:\windows\system32\tyrflsxg.dll
c:\windows\system32\epebml.dll
c:\windows\system32\tryfafkb.dll
c:\windows\system32\nhhvpd.dll
c:\windows\system32\owrdvkmp.dll
c:\windows\system32\ghdrtu.dll
c:\windows\system32\jodjianj.dll
c:\windows\system32\yjlfnq.dll
c:\windows\system32\csbvyecr.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 24 February 2009 - 08:12 PM

log attached - it also mentioned a newer version of combofix

Attached Files

  • Attached File  log.txt   16.96KB   6 downloads


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 24 February 2009 - 08:26 PM

Still more to clean there. The good news is, I don't think they are generated, because no instance is active. I think they were always present there, but Combofix couldn't list them all.
From the latest log, I see an older date for the files.
So it may be possible that more will still present there (depends how long you were infected with it).
So let's give it another round and create the following cfcript and drag it into Combofix:

File::
c:\windows\system32\ycbras.dll
c:\windows\system32\crprubdt.dll
c:\windows\system32\jscnbhxk.dll
c:\windows\system32\gungji.dll
c:\windows\system32\vtmhwqxb.dll
c:\windows\system32\jqaxdk.dll
c:\windows\system32\fwcfvxrr.dll
c:\windows\system32\mzspux.dll
c:\windows\system32\jrcudsdo.dll
c:\windows\system32\pxhllxfs.dll
c:\windows\system32\hlpdxd.dll
c:\windows\system32\sdfoksid.dll
c:\windows\system32\rnksjhuu.dll
c:\windows\system32\nveygv.dll
c:\windows\system32\wsivlk.dll
c:\windows\system32\pnvelism.dll





I think you already know how to do this in a meanwhile so I don't have to explain how to use Combofix :thumbup2:

Oh, also update your Combofix if not updated already.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 24 February 2009 - 11:39 PM

log attached

new combofix used

TIA

Attached Files

  • Attached File  log.txt   10.66KB   4 downloads


#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 25 February 2009 - 04:35 AM

Hi,

The files weren't deleted.
Most probably you didn't include the File:: on top in the script.
So please try again :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Bigbhav

Bigbhav
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 25 February 2009 - 05:17 PM

log attached - i thought so

Attached Files

  • Attached File  log.txt   10.68KB   1 downloads


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:59 AM

Posted 25 February 2009 - 05:21 PM

Hi,

This looks OK again. All malicious files are gone now :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users