Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BackDoor.Generic_r.eo / Autorun.FB


  • This topic is locked This topic is locked
34 replies to this topic

#1 GarryB

GarryB

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 24 February 2009 - 03:02 PM

Hi folks. As 'the computer guy' :thumbup2: at work (I actually work on mainframes and a bit on PCs), I get handed various personal computers of the staff when they have problems.

This is a laptop which as far as I can tell has been severely compromised. It's running on Virgin (UK) Broadband, which means you get the resident protection called PCGuard. When the PC boots, the splash screen for PCGuard comes up and halts, stays on screen, the icons disappear and there are constant nags that the system cannot find the file nircmd.exe in the %windir%\system32\drivers folder. If I ctrl-alt-del I can end the not responding application which is the PCguard and that stops the nircmd nag. It won't allow me to install AVG - it says there's a problem and the install fails.

I have attached it to the corporate broadband at work, and I get messages saying that there is a PC on the network that is compromised.

I've tried S&D & Adaware which resolved some problems with the PC, but I think the user has been incredibly naive in clicking on any prompt that has turned up on their computer. I haven't attached the laptop to my home network - I daren't, so I've had to use a USB stick to transfer files back and forth. I used my pen drive to download DDS.SCR, and my PC is reporting that the USB stick is infected with Backdoor.Generic_r.eo (quarantined and deleted) and then that the autorun file was corrupted with Autorun.FB (quarantined and deleted). My USB drive seems fine now. So I assume that these are the nasties that are on the original laptop. What a mess!

Anyway, I finally managed to run DDS.scr, and here are the logs. Any help greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 03 March 2009 - 10:29 AM

GarryB

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 04 March 2009 - 05:52 AM

Thank you for your attention.

I've had all sorts of problems getting ComboFix to run, mainly because the PCGuard software is interfering with the boot process. Combofix has been deleting some stuff, then reboots the PC, then PCGuard halts the system and the log disappears. I finally managed to disable the start up, but Combofix still thinks it's running. A quick google tells me that PCGuard is useless, but the removal process is tortuous. Certainly there's no uninstaller as far as I can see on this laptop.

Anyway.

ComboFix 09-03-03.01 - Administrator 2009-03-04 10:41:08.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.145 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated)
FW: PCguard Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\sysingB32.dll
c:\windows\system32\system\
.
---- Previous Run -------
.
c:\windows\system32\sysingB32.dll
c:\windows\system32\system\

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-04 10:45 . 2009-03-04 10:45 126 --a------ c:\windows\system32\g68.reg
2009-03-04 10:29 . 2009-03-04 10:29 126 --a------ c:\windows\system32\v52.reg
2009-03-04 10:22 . 2009-03-04 10:22 126 --a------ c:\windows\system32\o70.reg
2009-03-04 09:59 . 2009-03-04 09:59 126 --a------ c:\windows\system32\w5.reg
2009-03-04 09:44 . 2009-03-04 09:44 126 --a------ c:\windows\system32\u36.reg
2009-03-04 09:31 . 2009-03-04 09:31 126 --a------ c:\windows\system32\f39.reg
2009-03-04 09:20 . 2009-03-04 09:20 126 --a------ c:\windows\system32\r78.reg
2009-03-04 09:20 . 2009-03-04 09:20 126 --a------ c:\windows\system32\o14.reg
2009-03-04 08:58 . 2009-03-04 08:58 126 --a------ c:\windows\system32\j87.reg
2009-03-04 08:58 . 2009-03-04 08:58 126 --a------ c:\windows\system32\f66.reg
2009-02-24 19:51 . 2009-02-24 19:51 <DIR> d--hs---- C:\FOUND.005
2009-02-19 12:48 . 2009-02-19 12:48 126 --a------ c:\windows\system32\r84.reg
2009-02-19 12:19 . 2000-08-31 08:00 38,912 --a------ c:\windows\system32\NIRCMD.exe
2009-02-19 10:43 . 2009-02-19 10:43 126 --a------ c:\windows\system32\y83.reg
2009-02-19 10:13 . 2009-02-19 10:13 <DIR> d--hs---- C:\FOUND.004
2009-02-19 09:54 . 2009-02-19 09:54 <DIR> d--hs---- C:\FOUND.003
2009-02-19 09:31 . 2009-02-19 09:31 126 --a------ c:\windows\system32\w75.reg
2009-02-17 09:36 . 2009-02-17 09:36 86,528 --a------ c:\windows\system32\vrmit.exe
2009-02-17 09:36 . 2009-02-17 09:36 44,097 --a------ c:\windows\system32\wfimt.exe
2009-02-17 09:36 . 2009-02-17 09:36 32,301 --a------ C:\m1y1z9z2j9p2.exe
2009-02-16 09:19 . 2009-02-16 09:19 86,528 --a------ c:\windows\system32\cztjecl.exe
2009-02-16 09:19 . 2009-02-16 09:19 44,097 --a------ c:\windows\system32\whwnks.exe
2009-02-11 16:40 . 2009-02-11 16:40 86,528 --a------ c:\windows\system32\zxzhvd.exe
2009-02-11 16:40 . 2009-02-11 16:40 44,097 --a------ c:\windows\system32\phocd.exe
2009-02-11 15:52 . 2009-02-11 15:52 86,528 --a------ c:\windows\system32\rcdbgtfr.exe
2009-02-11 15:52 . 2009-02-11 15:52 44,097 --a------ c:\windows\system32\odftcii.exe
2009-02-11 10:01 . 2009-02-11 10:01 86,528 --a------ c:\windows\system32\yegkk.exe
2009-02-11 10:01 . 2009-02-11 10:01 44,097 --a------ c:\windows\system32\hmcl.exe
2009-02-10 13:03 . 2009-02-10 13:03 86,528 --a------ c:\windows\system32\qyywy.exe
2009-02-10 13:03 . 2009-02-10 13:03 44,097 --a------ c:\windows\system32\focr.exe
2009-02-10 13:03 . 2009-02-10 13:03 126 --a------ c:\windows\system32\o36.reg
2009-02-10 09:42 . 2009-02-10 09:42 <DIR> d-------- c:\windows\system32\java
2009-02-10 09:35 . 2009-02-10 13:02 899,649 --a------ C:\lammm.exe
2009-02-09 17:19 . 2009-02-09 17:19 26,771 --a------ c:\windows\system32\ionfgs.hlp
2009-02-09 17:08 . 2009-02-09 17:08 27,244 --a------ c:\windows\system32\irsss.hlp
2009-02-09 17:06 . 2009-02-09 17:06 30,202 --a------ c:\windows\system32\imds.hlp
2009-02-09 17:02 . 2009-03-04 10:46 11,971 --a------ c:\windows\system32\ODCB.INI
2009-02-09 10:47 . 2009-02-10 09:42 685,056 -rahs---- c:\windows\system32\drivers\NirCmd.old
2009-02-09 10:47 . 2000-08-31 08:00 38,912 --a------ c:\windows\system32\drivers\NirCmd.exe
2009-02-06 17:27 . 2009-01-06 13:13 425,984 -r-hs---- c:\windows\system32\jttzkicgu.exe
2009-02-06 17:08 . 2009-02-06 17:08 86,528 --a------ c:\windows\system32\jdqj.exe
2009-02-06 17:08 . 2009-02-06 17:08 44,097 --a------ c:\windows\system32\fhhqlu.exe
2009-02-06 17:04 . 2009-02-06 17:04 176,128 --a------ c:\windows\system32\xau.exe
2009-02-06 17:04 . 2009-02-11 15:53 53,293 --a------ C:\y7s7h9h3g3x5.exe
2009-02-06 16:59 . 2009-02-06 16:59 <DIR> d--hs---- C:\FOUND.002
2009-02-06 13:54 . 2009-02-06 13:54 86,528 --a------ c:\windows\system32\xtaskgt.exe
2009-02-06 13:54 . 2009-02-06 13:54 44,097 --a------ c:\windows\system32\lpvqh.exe
2009-02-05 09:30 . 2009-02-05 09:30 86,528 --a------ c:\windows\system32\xujpexw.exe
2009-02-05 09:30 . 2009-02-06 13:54 53,293 --a------ c:\windows\v3h7j5m5p7d8.exe
2009-02-05 09:30 . 2009-02-06 13:54 53,293 --a------ C:\v3h7j5m5p7d8.exe
2009-02-05 09:30 . 2009-02-05 09:30 44,097 --a------ c:\windows\system32\tfjyy.exe
2009-02-04 20:21 . 2009-02-04 20:21 86,528 --a------ c:\windows\system32\kpcpmw.exe
2009-02-04 20:21 . 2009-02-04 20:21 44,097 --a------ c:\windows\system32\ksxtujoy.exe
2009-02-04 20:17 . 2009-02-04 20:17 176,128 --a------ c:\windows\system32\ref.exe
2009-02-04 20:17 . 2009-02-04 21:01 8,633 --a------ C:\a6b5i3h6z5e5.exe
2009-02-04 20:10 . 2009-02-04 20:10 176,128 --a------ c:\windows\system32\ipa.exe
2009-02-04 20:08 . 2009-02-04 20:08 86,528 --a------ c:\windows\system32\klbrmdk.exe
2009-02-04 20:08 . 2009-02-04 20:08 44,097 --a------ c:\windows\system32\zgjncgt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 16:26 49,197 ----a-w c:\windows\k4e3c2v7x1q7.exe
2009-02-03 16:26 49,197 ----a-w C:\k4e3c2v7x1q7.exe
2009-02-03 14:59 86,528 ----a-w c:\windows\system32\tjptti.exe
2009-02-03 14:59 44,097 ----a-w c:\windows\system32\spjtqho.exe
2009-02-03 10:30 86,528 ----a-w c:\windows\system32\oyis.exe
2009-02-03 10:30 44,097 ----a-w c:\windows\system32\kgojl.exe
2009-02-02 18:54 53,293 ----a-w C:\z8g5q3d3n2s9.exe
2009-02-02 15:15 86,528 ----a-w c:\windows\system32\giudewwn.exe
2009-02-02 11:27 86,528 ----a-w c:\windows\system32\dmbzkbec.exe
2009-01-29 15:24 --------- d-----w c:\program files\PC Doc Pro
2009-01-29 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-01-28 20:19 86,528 ----a-w c:\windows\system32\uxlrjm.exe
2009-01-28 15:44 86,528 ----a-w c:\windows\system32\frdyamty.exe
2009-01-28 09:49 86,528 ----a-w c:\windows\system32\kziqamfs.exe
2009-01-27 17:05 86,528 ----a-w c:\windows\system32\qifcz.exe
2009-01-27 12:00 86,528 ----a-w c:\windows\system32\wlubdok.exe
2009-01-26 16:20 86,528 ----a-w c:\windows\system32\xdkxyop.exe
2009-01-25 16:09 86,528 ----a-w c:\windows\system32\rqxg.exe
2009-01-25 16:09 742,400 --sh--r c:\windows\system32\drivers\SCtri.exe
2009-01-24 18:15 86,528 ----a-w c:\windows\system32\oxey.exe
2009-01-24 12:55 86,528 ----a-w c:\windows\system32\fkuydlb.exe
2009-01-24 12:15 57,389 ----a-w C:\f2q2q4j8g1t8.exe
2009-01-24 12:14 86,528 ----a-w c:\windows\system32\qtvqr.exe
2009-01-24 12:12 44,114 ----a-w c:\documents and settings\Administrator\cni32.exe
2009-01-24 12:09 --------- d--h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 12:09 --------- d-----w c:\program files\Lavasoft
2009-01-24 12:09 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-23 14:04 79,360 ----a-w c:\windows\system32\lybs.exe
2009-01-23 13:44 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-23 13:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 13:22 79,360 ----a-w c:\windows\system32\kbyb.exe
2009-01-23 13:19 --------- d-----w c:\program files\Panda Security
2009-01-23 12:53 132,608 ----a-w c:\windows\system32\sfc_os.dll
2009-01-22 18:50 728,064 --sh--r c:\windows\system32\drivers\SbCtri.exe
2009-01-22 18:02 79,360 ----a-w c:\windows\system32\wnbhnqkp.exe
2009-01-22 17:20 43,520 ---ha-w c:\windows\system32\sist.exe
2009-01-22 17:07 86,528 ----a-w c:\windows\system32\zxox.exe
2009-01-22 15:49 86,528 ----a-w c:\windows\system32\woicuw.exe
2009-01-22 09:28 86,528 ----a-w c:\windows\system32\dwrqfvp.exe
2009-01-22 09:12 86,528 ----a-w c:\windows\system32\lyolxzmp.exe
2009-01-20 11:45 86,528 ----a-w c:\windows\system32\oxzzfafl.exe
2009-01-20 11:45 43,185 ----a-w c:\windows\system32\ijlj.exe
2009-01-20 09:34 86,528 ----a-w c:\windows\system32\epazse.exe
2009-01-20 09:34 43,185 ----a-w c:\windows\system32\gdfumwa.exe
2009-01-20 06:02 86,528 ----a-w c:\windows\system32\kmzlqi.exe
2009-01-20 06:02 43,185 ----a-w c:\windows\system32\mdtr.exe
2009-01-19 19:34 86,528 ----a-w c:\windows\system32\asbdfb.exe
2009-01-19 19:34 43,185 ----a-w c:\windows\system32\psdhlu.exe
2009-01-19 17:54 86,528 ----a-w c:\windows\system32\fzee.exe
2009-01-19 17:54 43,185 ----a-w c:\windows\system32\amjaj.exe
2009-01-19 14:27 458,752 ----a-w c:\windows\system32\keb.exe
2009-01-19 14:21 86,528 ----a-w c:\windows\system32\xsakwc.exe
2009-01-19 14:21 43,185 ----a-w c:\windows\system32\lueuhqc.exe
2009-01-19 14:13 86,528 ----a-w c:\windows\system32\zysf.exe
2009-01-19 14:13 43,185 ----a-w c:\windows\system32\guul.exe
2009-01-19 09:39 44,097 ----a-w c:\documents and settings\Administrator\vos32.exe
2009-01-19 09:38 86,528 ----a-w c:\windows\system32\dudqxabm.exe
2009-01-19 09:38 43,185 ----a-w c:\windows\system32\ontnaxxs.exe
2009-01-19 09:30 86,528 ----a-w c:\windows\system32\mlbuis.exe
2009-01-19 09:30 43,185 ----a-w c:\windows\system32\dnts.exe
2009-01-17 20:20 86,528 ----a-w c:\windows\system32\uinqzp.exe
2009-01-17 20:20 43,185 ----a-w c:\windows\system32\tzudvakq.exe
2009-01-06 14:14 758,272 ----a-w C:\xxxojk.exe
2009-01-06 14:01 758,272 ----a-w C:\xxxxx.exe
2009-01-06 13:39 758,272 ----a-w C:\drudt.exe
2009-01-06 13:13 425,984 --sh--r c:\windows\system32\oodvvnynk.exe
2009-01-06 13:13 425,984 --sh--r c:\windows\system32\gwprnoryr.exe
2009-01-06 13:13 425,984 --sh--r c:\windows\system32\djkisgmsz.exe
2009-01-06 13:13 425,984 ----a-r c:\windows\system32\WinsTrack.exe
2009-01-06 13:05 758,272 ----a-w C:\xxxdsbgv.exe
2001-08-18 14:00 425,984 --sh--r c:\windows\system32\dnvzlynxk.exe
2001-08-18 14:00 758,272 --sh--r c:\windows\system32\admirall.exe
.

------- Sigcheck -------

2001-08-18 14:00 1008128 29ec6314b102d6ca5572aab200fe9a06 c:\windows\explorer.exe
2001-08-18 14:00 1008128 e3ef8fa7131b643040387d247d795814 c:\windows\system32\dllcache\explorer.exe
2004-08-04 07:56 1039360 68f873dabcb9fd2031a39511169dcad9 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
2001-08-18 14:00 1008128 eb3dbdfa9fa46d614b9f694a6c02228a c:\windows\$NtServicePackUninstall$\explorer.exe

2001-08-18 14:00 20480 399169b8585d119a9ba94ec5ee270663 c:\windows\system32\ctfmon.exe
2001-08-18 14:00 20480 c8ec699a097213ce4a28494d2ec19ae5 c:\windows\system32\dllcache\ctfmon.exe
2004-08-04 07:56 22528 3abf066a0215933e037bbd3c74a17104 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ctfmon.exe
2001-08-18 14:00 20480 5615775b415f156b52052bd9ccfaf957 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2001-08-18 14:00 58368 fe9c0668f0a3f6f59c781d8fd3374cb3 c:\windows\system32\spoolsv.exe
2001-08-18 14:00 58368 fe9c0668f0a3f6f59c781d8fd3374cb3 c:\windows\system32\dllcache\spoolsv.exe
2004-08-04 07:56 65024 d6aa7110abb4dfee0962a514d1ae73be c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\spoolsv.exe
2001-08-18 14:00 58368 a342e85fa406e94789ca2fc8863d1d78 c:\windows\$NtServicePackUninstall$\spoolsv.exe

2001-08-18 14:00 28672 d17c0f47b7fb5017c14cd3ae95f68f33 c:\windows\system32\userinit.exe
2001-08-18 14:00 28672 15036dffc216f9614a1c53b3deab0a28 c:\windows\system32\dllcache\userinit.exe
2004-08-04 07:56 31744 db83a2ae22b9898256853e26ad0421e1 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\userinit.exe
2001-08-18 14:00 28672 2a20cac0f1ced22859360edae4f6b49f c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-05-23 1470736]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-04-23 202088]
"Windows Service Agents"="jttzkicgu.exe" [2009-01-06 c:\windows\system32\jttzkicgu.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"WinXPService"="c:\windows\system32\System" [X]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2002-05-13 09:12 253952]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-01-22 57344]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-16 135168]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2002-08-09 131072]
"FixBluetooth"="c:\windows\system32\BlueSoleiI.exe" [2008-02-02 234271]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"nwiz"="nwiz.exe" [2002-04-19 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 32768 c:\windows\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 c:\windows\system32\TPWRTRAY.EXE]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2001-08-03 c:\windows\system32\TFNF5.exe]
"Windows Service Agents"="jttzkicgu.exe" [2009-01-06 c:\windows\system32\jttzkicgu.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Agents"="jttzkicgu.exe" [2009-01-06 c:\windows\system32\jttzkicgu.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-05-23 1470736]
"Windows Service Agents"="jttzkicgu.exe" [2009-01-06 c:\windows\system32\jttzkicgu.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 118544]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 59152]
BlueSoleiI.lnk - c:\windows\system32\BlueSoleiI.exe [2008-02-02 234271]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-01-18 21:34 506712 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
--a------ 2007-01-24 14:12 2037240 c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCguard]
--a------ 2007-01-24 18:53 275960 c:\program files\Virgin Broadband\PCguard\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Agents]
-r-hs---- 2009-01-06 13:13 425984 c:\windows\system32\jttzkicgu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\admirall.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-23 28544]
S2 NirSoft Service Controler;NirSoft Service Controler;c:\windows\system32\drivers\NirCmd.exe [2009-02-09 38912]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Application Layer Gateway Service - c:\windows\System32\algs.exe
HKLM-Run-Client Server Runtime Process - c:\windows\System32\csrs.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sb1r91iq.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 10:45:58
Windows 5.1.2600 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\fws.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\TOSHIBA\TOSHIBA CONTROLS\TFNCKY.EXE
c:\program files\APOINT2K\APNTEX.EXE
c:\windows\System32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-03-04 10:47:28 - machine was rebooted [Administrator]
ComboFix2.txt 2009-02-19 11:21:14
ComboFix-quarantined-files.txt 2009-03-04 10:47:26

Pre-Run: 25,282,150,400 bytes free
Post-Run: 25,207,554,048 bytes free

279 --- E O F --- 2009-01-21 10:09:26

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 04 March 2009 - 09:12 AM

GarryB

That's quite a mess you have there. The PC can be cleaned, but I would recommend a Re-format and reinstall of windows.

The infection has gone far enough as to damage some Windows System files.

If you want me to help you clean it, I will, but I recommend a re-install

Let me know what you decide.
Posted Image
Microsoft MVP - Windows Security

#5 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 04 March 2009 - 10:24 AM

bamajim,

Thanks for that. I must admit my heart sank when I saw the files that had been damaged and knew that that was therefore likely to be the recommendation.

Unfortunately as is the nature of these things, I don't believe that the user has any Windows installation software - I believe that she only got an image disc when buying the laptop.

I will ask her what she wants to do and will report back as soon as possible. I guess we can pull her documents and various other bits and pieces from the laptop, then format and reinstall the image.

Thanks again.

#6 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 06 March 2009 - 06:25 AM

Sorry about this, but the owner tells me that she has no discs at all.

Is there therefore anyway of effecting a recovery without a reformat and reinstall?

#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 06 March 2009 - 10:32 AM

GarryB

We can, it will take a few runs at this, and you may see little change untill we are almost done, so please be patient.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
c:\windows\system32\vrmit.exe
c:\windows\system32\wfimt.exe
C:\m1y1z9z2j9p2.exe
c:\windows\system32\cztjecl.exe
c:\windows\system32\whwnks.exe
c:\windows\system32\zxzhvd.exe
c:\windows\system32\phocd.exe
c:\windows\system32\rcdbgtfr.exe
c:\windows\system32\odftcii.exe
c:\windows\system32\yegkk.exe
c:\windows\system32\hmcl.exe
c:\windows\system32\qyywy.exe
c:\windows\system32\focr.exe
c:\windows\system32\ionfgs.hlp
c:\windows\system32\irsss.hlp
c:\windows\system32\imds.hlp
c:\windows\system32\ODCB.INI
c:\windows\system32\jttzkicgu.exe
c:\windows\system32\jdqj.exe
c:\windows\system32\fhhqlu.exe
c:\windows\system32\xau.exe
C:\y7s7h9h3g3x5.exe
c:\windows\system32\xtaskgt.exe
c:\windows\system32\lpvqh.exe
c:\windows\system32\xujpexw.exe
c:\windows\v3h7j5m5p7d8.exe
C:\v3h7j5m5p7d8.exe
c:\windows\system32\tfjyy.exe
c:\windows\system32\kpcpmw.exe
c:\windows\system32\ksxtujoy.exe
c:\windows\system32\ref.exe
C:\a6b5i3h6z5e5.exe
c:\windows\system32\ipa.exe
c:\windows\system32\klbrmdk.exe
c:\windows\system32\zgjncgt.exe
c:\windows\k4e3c2v7x1q7.exe
C:\k4e3c2v7x1q7.exe
c:\windows\system32\tjptti.exe
c:\windows\system32\spjtqho.exe
c:\windows\system32\oyis.exe
c:\windows\system32\kgojl.exe
C:\z8g5q3d3n2s9.exe
c:\windows\system32\giudewwn.exe
c:\windows\system32\dmbzkbec.exe
c:\windows\system32\uxlrjm.exe
c:\windows\system32\frdyamty.exe
c:\windows\system32\kziqamfs.exe
c:\windows\system32\qifcz.exe
c:\windows\system32\wlubdok.exe
c:\windows\system32\xdkxyop.exe
c:\windows\system32\rqxg.exe
c:\windows\system32\drivers\SCtri.exe
c:\windows\system32\oxey.exe
c:\windows\system32\fkuydlb.exe
C:\f2q2q4j8g1t8.exe
c:\windows\system32\qtvqr.exe
c:\documents and settings\Administrator\cni32.exe
c:\windows\system32\lybs.exe
c:\windows\system32\kbyb.exe
c:\windows\system32\drivers\SbCtri.exe
c:\windows\system32\wnbhnqkp.exe
c:\windows\system32\sist.exe
c:\windows\system32\zxox.exe
c:\windows\system32\woicuw.exe
c:\windows\system32\dwrqfvp.exe
c:\windows\system32\lyolxzmp.exe
c:\windows\system32\oxzzfafl.exe
c:\windows\system32\ijlj.exe
c:\windows\system32\epazse.exe
c:\windows\system32\gdfumwa.exe
c:\windows\system32\kmzlqi.exe
c:\windows\system32\mdtr.exe
c:\windows\system32\asbdfb.exe
c:\windows\system32\psdhlu.exe
c:\windows\system32\fzee.exe
c:\windows\system32\amjaj.exe
c:\windows\system32\keb.exe
c:\windows\system32\xsakwc.exe
c:\windows\system32\lueuhqc.exe
c:\windows\system32\zysf.exe
c:\windows\system32\guul.exe
c:\documents and settings\Administrator\vos32.exe
c:\windows\system32\dudqxabm.exe
c:\windows\system32\ontnaxxs.exe
c:\windows\system32\mlbuis.exe
c:\windows\system32\dnts.exe
c:\windows\system32\uinqzp.exe
c:\windows\system32\tzudvakq.exe
C:\xxxojk.exe
C:\xxxxx.exe
C:\drudt.exe
c:\windows\system32\oodvvnynk.exe
c:\windows\system32\gwprnoryr.exe
c:\windows\system32\djkisgmsz.exe
c:\windows\system32\WinsTrack.exe
C:\xxxdsbgv.exe
c:\windows\system32\dnvzlynxk.exe
c:\windows\system32\admirall.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Service Agents"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinXPService"=-
"Windows Service Agents"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Agents"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Service Agents"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Agents]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\admirall.exe"=-


Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#8 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 06 March 2009 - 11:19 AM

Thank you bamajim for your patience and forbearance! Interestingly enough, when ComboFix rebooted the laptop this time, an mIRC chat window popped up.

Here's the log:

ComboFix 09-03-04.01 - Administrator 2009-03-06 16:10:14.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.55 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated)
FW: PCguard Firewall *enabled*
* Created a new restore point

FILE ::
C:\a6b5i3h6z5e5.exe
c:\documents and settings\Administrator\cni32.exe
c:\documents and settings\Administrator\vos32.exe
C:\drudt.exe
C:\f2q2q4j8g1t8.exe
C:\k4e3c2v7x1q7.exe
C:\m1y1z9z2j9p2.exe
C:\v3h7j5m5p7d8.exe
c:\windows\k4e3c2v7x1q7.exe
c:\windows\system32\admirall.exe
c:\windows\system32\amjaj.exe
c:\windows\system32\asbdfb.exe
c:\windows\system32\cztjecl.exe
c:\windows\system32\djkisgmsz.exe
c:\windows\system32\dmbzkbec.exe
c:\windows\system32\dnts.exe
c:\windows\system32\dnvzlynxk.exe
c:\windows\system32\drivers\SbCtri.exe
c:\windows\system32\drivers\SCtri.exe
c:\windows\system32\dudqxabm.exe
c:\windows\system32\dwrqfvp.exe
c:\windows\system32\epazse.exe
c:\windows\system32\fhhqlu.exe
c:\windows\system32\fkuydlb.exe
c:\windows\system32\focr.exe
c:\windows\system32\frdyamty.exe
c:\windows\system32\fzee.exe
c:\windows\system32\gdfumwa.exe
c:\windows\system32\giudewwn.exe
c:\windows\system32\guul.exe
c:\windows\system32\gwprnoryr.exe
c:\windows\system32\hmcl.exe
c:\windows\system32\ijlj.exe
c:\windows\system32\imds.hlp
c:\windows\system32\ionfgs.hlp
c:\windows\system32\ipa.exe
c:\windows\system32\irsss.hlp
c:\windows\system32\jdqj.exe
c:\windows\system32\jttzkicgu.exe
c:\windows\system32\kbyb.exe
c:\windows\system32\keb.exe
c:\windows\system32\kgojl.exe
c:\windows\system32\klbrmdk.exe
c:\windows\system32\kmzlqi.exe
c:\windows\system32\kpcpmw.exe
c:\windows\system32\ksxtujoy.exe
c:\windows\system32\kziqamfs.exe
c:\windows\system32\lpvqh.exe
c:\windows\system32\lueuhqc.exe
c:\windows\system32\lybs.exe
c:\windows\system32\lyolxzmp.exe
c:\windows\system32\mdtr.exe
c:\windows\system32\mlbuis.exe
c:\windows\system32\ODCB.INI
c:\windows\system32\odftcii.exe
c:\windows\system32\ontnaxxs.exe
c:\windows\system32\oodvvnynk.exe
c:\windows\system32\oxey.exe
c:\windows\system32\oxzzfafl.exe
c:\windows\system32\oyis.exe
c:\windows\system32\phocd.exe
c:\windows\system32\psdhlu.exe
c:\windows\system32\qifcz.exe
c:\windows\system32\qtvqr.exe
c:\windows\system32\qyywy.exe
c:\windows\system32\rcdbgtfr.exe
c:\windows\system32\ref.exe
c:\windows\system32\rqxg.exe
c:\windows\system32\sist.exe
c:\windows\system32\spjtqho.exe
c:\windows\system32\tfjyy.exe
c:\windows\system32\tjptti.exe
c:\windows\system32\tzudvakq.exe
c:\windows\system32\uinqzp.exe
c:\windows\system32\uxlrjm.exe
c:\windows\system32\vrmit.exe
c:\windows\system32\wfimt.exe
c:\windows\system32\whwnks.exe
c:\windows\system32\WinsTrack.exe
c:\windows\system32\wlubdok.exe
c:\windows\system32\wnbhnqkp.exe
c:\windows\system32\woicuw.exe
c:\windows\system32\xau.exe
c:\windows\system32\xdkxyop.exe
c:\windows\system32\xsakwc.exe
c:\windows\system32\xtaskgt.exe
c:\windows\system32\xujpexw.exe
c:\windows\system32\yegkk.exe
c:\windows\system32\zgjncgt.exe
c:\windows\system32\zxox.exe
c:\windows\system32\zxzhvd.exe
c:\windows\system32\zysf.exe
c:\windows\v3h7j5m5p7d8.exe
C:\xxxdsbgv.exe
C:\xxxojk.exe
C:\xxxxx.exe
C:\y7s7h9h3g3x5.exe
C:\z8g5q3d3n2s9.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a6b5i3h6z5e5.exe
c:\documents and settings\Administrator\cni32.exe
c:\documents and settings\Administrator\vos32.exe
C:\drudt.exe
C:\f2q2q4j8g1t8.exe
C:\k4e3c2v7x1q7.exe
C:\m1y1z9z2j9p2.exe
C:\v3h7j5m5p7d8.exe
c:\windows\k4e3c2v7x1q7.exe
c:\windows\system32\admirall.exe
c:\windows\system32\amjaj.exe
c:\windows\system32\asbdfb.exe
c:\windows\system32\cztjecl.exe
c:\windows\system32\djkisgmsz.exe
c:\windows\system32\dmbzkbec.exe
c:\windows\system32\dnts.exe
c:\windows\system32\dnvzlynxk.exe
c:\windows\system32\drivers\SbCtri.exe
c:\windows\system32\drivers\SCtri.exe
c:\windows\system32\dudqxabm.exe
c:\windows\system32\dwrqfvp.exe
c:\windows\system32\epazse.exe
c:\windows\system32\fhhqlu.exe
c:\windows\system32\fkuydlb.exe
c:\windows\system32\focr.exe
c:\windows\system32\frdyamty.exe
c:\windows\system32\fzee.exe
c:\windows\system32\gdfumwa.exe
c:\windows\system32\giudewwn.exe
c:\windows\system32\guul.exe
c:\windows\system32\gwprnoryr.exe
c:\windows\system32\hmcl.exe
c:\windows\system32\ijlj.exe
c:\windows\system32\imds.hlp
c:\windows\system32\ionfgs.hlp
c:\windows\system32\ipa.exe
c:\windows\system32\irsss.hlp
c:\windows\system32\jdqj.exe
c:\windows\system32\jttzkicgu.exe
c:\windows\system32\kbyb.exe
c:\windows\system32\keb.exe
c:\windows\system32\kgojl.exe
c:\windows\system32\klbrmdk.exe
c:\windows\system32\kmzlqi.exe
c:\windows\system32\kpcpmw.exe
c:\windows\system32\ksxtujoy.exe
c:\windows\system32\kziqamfs.exe
c:\windows\system32\lpvqh.exe
c:\windows\system32\lueuhqc.exe
c:\windows\system32\lybs.exe
c:\windows\system32\lyolxzmp.exe
c:\windows\system32\mdtr.exe
c:\windows\system32\mlbuis.exe
c:\windows\system32\ODCB.INI
c:\windows\system32\odftcii.exe
c:\windows\system32\ontnaxxs.exe
c:\windows\system32\oodvvnynk.exe
c:\windows\system32\oxey.exe
c:\windows\system32\oxzzfafl.exe
c:\windows\system32\oyis.exe
c:\windows\system32\phocd.exe
c:\windows\system32\psdhlu.exe
c:\windows\system32\qifcz.exe
c:\windows\system32\qtvqr.exe
c:\windows\system32\qyywy.exe
c:\windows\system32\rcdbgtfr.exe
c:\windows\system32\ref.exe
c:\windows\system32\rqxg.exe
c:\windows\system32\sist.exe
c:\windows\system32\spjtqho.exe
c:\windows\system32\system\
c:\windows\system32\tfjyy.exe
c:\windows\system32\tjptti.exe
c:\windows\system32\tzudvakq.exe
c:\windows\system32\uinqzp.exe
c:\windows\system32\uxlrjm.exe
c:\windows\system32\vrmit.exe
c:\windows\system32\wfimt.exe
c:\windows\system32\whwnks.exe
c:\windows\system32\WinsTrack.exe
c:\windows\system32\wlubdok.exe
c:\windows\system32\wnbhnqkp.exe
c:\windows\system32\woicuw.exe
c:\windows\system32\xau.exe
c:\windows\system32\xdkxyop.exe
c:\windows\system32\xsakwc.exe
c:\windows\system32\xtaskgt.exe
c:\windows\system32\xujpexw.exe
c:\windows\system32\yegkk.exe
c:\windows\system32\zgjncgt.exe
c:\windows\system32\zxox.exe
c:\windows\system32\zxzhvd.exe
c:\windows\system32\zysf.exe
c:\windows\v3h7j5m5p7d8.exe
C:\xxxdsbgv.exe
C:\xxxojk.exe
C:\xxxxx.exe
C:\y7s7h9h3g3x5.exe
C:\z8g5q3d3n2s9.exe

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-04 10:45 . 2009-03-04 10:45 126 --a------ c:\windows\system32\g68.reg
2009-03-04 10:29 . 2009-03-04 10:29 126 --a------ c:\windows\system32\v52.reg
2009-03-04 10:22 . 2009-03-04 10:22 126 --a------ c:\windows\system32\o70.reg
2009-03-04 09:59 . 2009-03-04 09:59 126 --a------ c:\windows\system32\w5.reg
2009-03-04 09:44 . 2009-03-04 09:44 126 --a------ c:\windows\system32\u36.reg
2009-03-04 09:31 . 2009-03-04 09:31 126 --a------ c:\windows\system32\f39.reg
2009-03-04 09:20 . 2009-03-04 09:20 126 --a------ c:\windows\system32\r78.reg
2009-03-04 09:20 . 2009-03-04 09:20 126 --a------ c:\windows\system32\o14.reg
2009-03-04 08:58 . 2009-03-04 08:58 126 --a------ c:\windows\system32\j87.reg
2009-03-04 08:58 . 2009-03-04 08:58 126 --a------ c:\windows\system32\f66.reg
2009-02-24 19:51 . 2009-02-24 19:51 <DIR> d--hs---- C:\FOUND.005
2009-02-19 12:48 . 2009-02-19 12:48 126 --a------ c:\windows\system32\r84.reg
2009-02-19 12:19 . 2000-08-31 08:00 38,912 --a------ c:\windows\system32\NIRCMD.exe
2009-02-19 10:43 . 2009-02-19 10:43 126 --a------ c:\windows\system32\y83.reg
2009-02-19 10:13 . 2009-02-19 10:13 <DIR> d--hs---- C:\FOUND.004
2009-02-19 09:54 . 2009-02-19 09:54 <DIR> d--hs---- C:\FOUND.003
2009-02-19 09:31 . 2009-02-19 09:31 126 --a------ c:\windows\system32\w75.reg
2009-02-10 13:03 . 2009-02-10 13:03 126 --a------ c:\windows\system32\o36.reg
2009-02-10 09:42 . 2009-02-10 09:42 <DIR> d-------- c:\windows\system32\java
2009-02-10 09:35 . 2009-02-10 13:02 899,649 --a------ C:\lammm.exe
2009-02-09 10:47 . 2009-02-10 09:42 685,056 -rahs---- c:\windows\system32\drivers\NirCmd.old
2009-02-09 10:47 . 2000-08-31 08:00 38,912 --a------ c:\windows\system32\drivers\NirCmd.exe
2009-02-06 16:59 . 2009-02-06 16:59 <DIR> d--hs---- C:\FOUND.002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 15:24 --------- d-----w c:\program files\PC Doc Pro
2009-01-29 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 12:09 --------- d--h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 12:09 --------- d-----w c:\program files\Lavasoft
2009-01-24 12:09 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-23 13:44 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-23 13:44 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 13:19 --------- d-----w c:\program files\Panda Security
2009-01-23 12:53 132,608 ----a-w c:\windows\system32\sfc_os.dll
.

------- Sigcheck -------

2001-08-18 14:00 1008128 29ec6314b102d6ca5572aab200fe9a06 c:\windows\explorer.exe
2001-08-18 14:00 1008128 e3ef8fa7131b643040387d247d795814 c:\windows\system32\dllcache\explorer.exe
2004-08-04 07:56 1039360 68f873dabcb9fd2031a39511169dcad9 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
2001-08-18 14:00 1008128 eb3dbdfa9fa46d614b9f694a6c02228a c:\windows\$NtServicePackUninstall$\explorer.exe

2001-08-18 14:00 20480 399169b8585d119a9ba94ec5ee270663 c:\windows\system32\ctfmon.exe
2001-08-18 14:00 20480 c8ec699a097213ce4a28494d2ec19ae5 c:\windows\system32\dllcache\ctfmon.exe
2004-08-04 07:56 22528 3abf066a0215933e037bbd3c74a17104 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ctfmon.exe
2001-08-18 14:00 20480 5615775b415f156b52052bd9ccfaf957 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2001-08-18 14:00 58368 fe9c0668f0a3f6f59c781d8fd3374cb3 c:\windows\system32\spoolsv.exe
2001-08-18 14:00 58368 fe9c0668f0a3f6f59c781d8fd3374cb3 c:\windows\system32\dllcache\spoolsv.exe
2004-08-04 07:56 65024 d6aa7110abb4dfee0962a514d1ae73be c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\spoolsv.exe
2001-08-18 14:00 58368 a342e85fa406e94789ca2fc8863d1d78 c:\windows\$NtServicePackUninstall$\spoolsv.exe

2001-08-18 14:00 28672 d17c0f47b7fb5017c14cd3ae95f68f33 c:\windows\system32\userinit.exe
2001-08-18 14:00 28672 15036dffc216f9614a1c53b3deab0a28 c:\windows\system32\dllcache\userinit.exe
2004-08-04 07:56 31744 db83a2ae22b9898256853e26ad0421e1 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\userinit.exe
2001-08-18 14:00 28672 2a20cac0f1ced22859360edae4f6b49f c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-04_10.46.35.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 20:02:28 174,080 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 08:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 08:00:00 38,912 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 08:00:00 169,472 ----a-w c:\windows\SWREG.exe
- 2009-03-04 10:43:46 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-06 16:13:18 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-04 10:43:46 16,384 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-06 16:13:18 16,384 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-04 10:43:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 16:13:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-04 09:38:58 262,144 ----a-w c:\windows\system32\config\systemprofile\NTUSER.DAT
+ 2009-03-06 16:10:00 262,144 ----a-w c:\windows\system32\config\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-05-23 1470736]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-04-23 202088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2002-05-13 09:12 253952]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2002-01-22 57344]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-16 135168]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2002-08-09 131072]
"FixBluetooth"="c:\windows\system32\BlueSoleiI.exe" [2008-02-02 234271]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"nwiz"="nwiz.exe" [2002-04-19 c:\windows\system32\nwiz.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 32768 c:\windows\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 c:\windows\system32\TPWRTRAY.EXE]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2001-08-03 c:\windows\system32\TFNF5.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-05-23 1470736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 118544]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 59152]
BlueSoleiI.lnk - c:\windows\system32\BlueSoleiI.exe [2008-02-02 234271]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-01-18 21:34 506712 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadbandadvisor.exe]
--a------ 2007-01-24 14:12 2037240 c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCguard]
--a------ 2007-01-24 18:53 275960 c:\program files\Virgin Broadband\PCguard\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-23 28544]
S2 NirSoft Service Controler;NirSoft Service Controler;c:\windows\system32\drivers\NirCmd.exe [2009-02-09 38912]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sb1r91iq.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 16:15:28
Windows 5.1.2600 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\fws.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\APOINT2K\APNTEX.EXE
c:\windows\system32\System
c:\windows\system32\System
c:\windows\System32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-03-06 16:16:52 - machine was rebooted
ComboFix3.txt 2009-02-19 11:21:14
ComboFix-quarantined-files.txt 2009-03-06 16:16:50
ComboFix2.txt 2009-03-04 10:47:32

Pre-Run: 25,108,824,064 bytes free
Post-Run: 25,050,546,176 bytes free

375 --- E O F --- 2009-01-21 10:09:26

#9 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 10 March 2009 - 07:40 AM

GarryB

We have some infected system files and we will deal with them last.

2 things:

1. You have some supicious files, I would like to look at one of them.

Please go HERE

Put Your Name, and BC HJT forum

And In the file to submit box, click Browse.

Locate the filec:\windows\system32\r84.reg
In the comments tell them that I asked you to upload the file
Then Select Send File.

2. Are you able to get this PC on IE for an online scan? If so

Run an online virus scan called Kaspersky from HERE.1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well
Posted Image
Microsoft MVP - Windows Security

#10 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 10 March 2009 - 08:54 AM

r84.reg uploaded as requested.

The bad news is that the laptop will not allow me to run Kaspersky. It needs a version of Java which is higher than the one on the laptop, and every time I try to install a newer version of java, I get an error saying that it cannot be installed because of problems with the Windows installer. This is in Firefox and IE, the latter of which I can only start by using the command line - i.e. all the links and icons fro IE have disapeared from the computer.

Thanks.

#11 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 March 2009 - 08:17 AM

Gary B

Sorry for the delay

You can get a clean copy of the Windows installer Here.

Lets start there
Posted Image
Microsoft MVP - Windows Security

#12 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 19 March 2009 - 04:26 AM

Jim - I'm just grateful that you have taken time to help.

OK, the Windows installer allowed me to download and install java, but Kaspersky will still not work. Every installation I try, even after clearing caches and rebooting the PC comes up with an 'invalid signature' error.

I therefore went to Panda and ran the free online scan from there; log attached. Hopefully it will be useful.


*** EDIT *** Kaspersky is now running. Will post that log when it's finished.

Attached Files


Edited by GarryB, 19 March 2009 - 04:41 AM.


#13 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 19 March 2009 - 11:23 AM

FINALLY after about five attempts, Kaspersky ran to completion. It doesn't look good (see attached). Because the file was so large, I've deleted a lot of what I think might be extraneous information at this point - there was a lot of files called A00(number).exe in one of the restore folders, all infected, so I've deleted all that from the scan text file and noted that within the file. Every entry was the same.

Was there anything in the r84.reg file?

Attached Files



#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 19 March 2009 - 11:40 AM

GarryB

Yes the file is trash, but not an imediate threat right now.

And we will flush System Restore when we are done.

Let's try this.

1. Go HERE.

And download the Virut Removal tool. Save it to the Desktop.

Rt Click and Extract it to the Desktop

Open the Virutcure Folder ->> There will be 2 files with similar names, Double click on VirutCure.com.exe (The larger of the 2)

Select Start Scan

When the tool is finished, make sure the items found were "fixed".

In your reply, tell me how many items were found and fixed
Posted Image
Microsoft MVP - Windows Security

#15 GarryB

GarryB
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 20 March 2009 - 04:49 AM

Thanks. I had the 'Auto Repair' clicked on; it scanned 33,241 files, repaired 5,790. The infection count was zero; I assume that's files it couldn't fix?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users