Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Your System is Infected" wallpaper on my desktop...


  • This topic is locked This topic is locked
36 replies to this topic

#1 Christina8801

Christina8801

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 26 January 2010 - 06:33 PM

I've got popups telling me i should scan for spyware and that I've been infected. Also getting a "Click here to install antivirus" messages. Task Manager is also disabled.


DDS (Ver_09-12-01.01) - FAT32x86
Run by tboykin at 16:13:47.92 on Tue 01/26/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.767.542 [GMT -6:00]


============== Running Processes ===============

C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Webroot\SME\Client\commagent.exe
C:\Program Files\Webroot\SME\Client\spysweeper.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\smss32.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\tboykin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\winnt\system32\winlogon32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3f9d0c61-737d-44d1-bd80-91af857061cc} - c:\winnt\system32\fccawvu.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {c6351e77-bee3-4052-8407-de9afd95e68e} - c:\winnt\system32\mllmj.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [RealPlayer] "c:\program files\real\realone player\realplay.exe" /RunUPGToolCommandReBoot
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [CreateCD50] "c:\program files\common files\adaptec shared\createcd\CreateCD50.exe" -r
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [TweakIE Scheduler]
mRun: [hpsjbmgr] c:\scanjet\precisionscanlt\hpsjbmgr.exe
mRun: [OBi Server]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpyHunter]
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LXBTCATS] rundll32 c:\winnt\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [smss32.exe] c:\winnt\system32\smss32.exe
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicw~1.lnk - c:\program files\sonicwall\sonicwall vpn client\SafeCfg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - c:\program files\tweakie 3.0\TweakIE.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\winnt\system32\helper32.dll
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: sxload.net
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238515866507
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8D83D301-E841-11D1-B155-00600823BCF9} - hxxp://live.landsend.com/webline/applets/msie40x.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {0217649F-7BFE-43EC-B4A3-2B5C60C27804} = 192.168.168.11
TCP: {A0B14302-985C-49B9-8E7B-83AAB47606D1} = 192.168.168.5,192.168.168.11
Notify: fccawvu - fccawvu.dll
Notify: mllmj - c:\winnt\system32\mllmj.dll
SEH: {3f9d0c61-737d-44d1-bd80-91af857061cc} - c:\winnt\system32\fccawvu.dll
Hosts: 192.168.168.5 adserver
Hosts: 192.168.168.7 haserver
Hosts: 192.168.168.9 primeserver
Hosts: 192.168.168.11 Appserver
Hosts: 192.168.168.10 dbserver

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [2001-9-4 359103]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [2004-5-14 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [2004-5-14 112696]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-15 24652]
R2 vnccom;vnccom;c:\winnt\system32\drivers\vnccom.SYS [2009-3-30 6016]
R2 WebrootCommAgentService;Webroot CommAgent Service;c:\program files\webroot\sme\client\CommAgent.exe [2006-12-6 890944]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\sme\client\SPYSWEEPER.EXE [2006-12-6 3323968]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [2004-5-14 36188]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2001-12-12 61712]

=============== Created Last 30 ================

2010-01-26 22:13:48 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_3e4.dat
2010-01-26 20:38:01 553828 ---h--w- c:\winnt\ShellIconCache
2010-01-26 20:37:04 5760 ----a-w- c:\winnt\system32\vnchelp.dll
2010-01-26 20:37:04 4736 ----a-w- c:\winnt\system32\drivers\vncdrv.sys
2010-01-26 20:37:04 12800 ----a-w- c:\winnt\system32\vncdrv.dll
2010-01-26 20:37:02 0 d-----w- c:\program files\UltraVNC
2010-01-26 20:22:55 38912 ----a-w- c:\winnt\system32\11478.exe
2010-01-26 20:02:54 38912 ----a-w- c:\winnt\system32\15724.exe
2010-01-26 18:28:51 0 d-----w- C:\unzipped
2010-01-26 17:21:42 38912 ----a-w- c:\winnt\system32\6334.exe
2010-01-26 17:01:41 38912 ----a-w- c:\winnt\system32\18467.exe
2010-01-26 16:16:24 38912 ----a-w- c:\winnt\system32\41.exe
2010-01-26 16:16:12 1117184 ----a-w- c:\winnt\system32\IS15.exe
2010-01-26 16:16:05 25088 ----a-w- c:\winnt\system32\helper32.dll
2010-01-26 16:15:36 2931 ----a-w- c:\winnt\system32\warning.html
2010-01-26 16:11:28 1 ----a-w- C:\s
2010-01-26 16:11:23 26624 ----a-w- c:\winnt\system32\winlogon32.exe
2010-01-26 16:11:23 26624 ----a-w- c:\winnt\system32\smss32.exe

==================== Find3M ====================

2003-05-09 20:53:38 707 ----a-w- c:\program files\INSTALL.LOG
2001-12-12 23:56:00 271 ---h--w- c:\program files\desktop.ini
2001-12-12 23:56:00 21952 ---h--w- c:\program files\folder.htt
2001-05-08 18:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys
2007-04-19 13:39:52 1372966 --sh--w- c:\winnt\system32\jmllm.bak1

============= FINISH: 16:14:33.19 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 27 January 2010 - 07:35 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 27 January 2010 - 11:38 AM

ComboFix 10-01-26.06 - tboykin 01/27/2010 9:56.1.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.767.625 [GMT -6:00]
Running from: c:\documents and settings\tboykin\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
C:\s
C:\Thumbs.db
c:\winnt\AUTOLNCH.REG
c:\winnt\system32\11478.exe
c:\winnt\system32\15724.exe
c:\winnt\system32\18467.exe
c:\winnt\system32\26500.exe
c:\winnt\system32\41.exe
c:\winnt\system32\6334.exe
c:\winnt\system32\aphhpvii.ini
c:\winnt\system32\drivers\etc\lmhosts
c:\winnt\system32\helper32.dll
c:\winnt\system32\IS15.exe
c:\winnt\system32\jmllm.bak1
c:\winnt\system32\jmllm.ini
c:\winnt\system32\reboot.txt
c:\winnt\system32\SHELLLNK.TLB
c:\winnt\system32\spool\prtprocs\w32x86\00001add.tmp
c:\winnt\system32\spool\prtprocs\w32x86\000077d4.tmp
c:\winnt\system32\warning.html
c:\winnt\system32\winlogon32.exe
c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

Infected copy of c:\winnt\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\winnt\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 15:07 . 2010-01-27 15:07 -------- d-----w- c:\winnt\system32\0
2010-01-26 20:37 . 2005-06-11 04:02 12800 ----a-w- c:\winnt\system32\vncdrv.dll
2010-01-26 20:37 . 2004-06-26 19:22 4736 ----a-w- c:\winnt\system32\drivers\vncdrv.sys
2010-01-26 20:37 . 2004-06-26 19:21 5760 ----a-w- c:\winnt\system32\vnchelp.dll
2010-01-26 20:37 . 2010-01-26 20:37 -------- d-----w- c:\program files\UltraVNC
2010-01-26 18:28 . 2010-01-26 18:28 -------- d-----w- C:\unzipped

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2001-12-12 23:56 . 2001-12-12 23:55 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-27 01:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-06-02 1003520]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-05-29 122965]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-29 679936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-05-09 151597]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-11 98304]
"LXBTCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\candreatta\Start Menu\Programs\Startup\
POW!.lnk - c:\program files\AnalogX\POW\pow.exe [2001-12-14 78852]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SonicWALL VPN Client.lnk - c:\program files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe [2004-5-14 49204]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-1-26 106560]

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 3:38 PM 359103]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [5/14/2004 12:26 PM 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [5/14/2004 12:26 PM 112696]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 7:28 AM 24652]
R2 vnccom;vnccom;c:\winnt\system32\drivers\vnccom.SYS [3/30/2009 4:11 PM 6016]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [5/14/2004 12:24 PM 36188]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [12/12/2001 5:28 PM 61712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{79F436C2-3CA2-45A4-A52E-694B23DFFA88} - c:\program files\TweakIE 3.0\TweakIE.exe
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: sxload.net
TCP: {0217649F-7BFE-43EC-B4A3-2B5C60C27804} = 192.168.168.11
TCP: {A0B14302-985C-49B9-8E7B-83AAB47606D1} = 192.168.168.5,192.168.168.11
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
.
- - - - ORPHANS REMOVED - - - -

BHO-{C6351E77-BEE3-4052-8407-DE9AFD95E68E} - c:\winnt\system32\mllmj.dll
HKLM-Run-TweakIE Scheduler - (no file)
HKLM-Run-hpsjbmgr - c:\scanjet\PrecisionScanLT\hpsjbmgr.exe
HKLM-Run-OBi Server - (no file)
HKLM-Run-SpyHunter - (no file)
Notify-fccawvu - fccawvu.dll
Notify-mllmj - c:\winnt\system32\mllmj.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 10:33
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
hpsjbmgr = c:\scanjet\PrecisionScanLT\hpsjbmgr.exe????? +~???B?l?????+?(??????????????w????????,???????????????h???D?\|??W|????????L?@?p??? +~?????????????s???????????h???1n@???????B?an@???~???@?????s???`??? T@???????B?????????p???????h???I??????????? ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(184)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1220)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
c:\winnt\system32\LEXBCES.EXE
c:\winnt\system32\LEXPPS.EXE
c:\program files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\System32\mspmspsv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Lexmark 5200 series\lxbtbmon.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-01-27 10:37:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 16:37

Pre-Run: 132,464,640 bytes free
Post-Run: 7,383,007,232 bytes free

- - End Of File - - F122E4F7C40024C3B9E1E0782219D37E


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 28 January 2010 - 06:57 AM

QUOTE
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


Run ComboFix once again and this time make sure you install Recovery Console.. Refer below for further information..

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 28 January 2010 - 12:51 PM

It doesn't give me the option of installing the Recovery Console. I do, however, get the following error message when first starting up the program:

32788R22FWJFW\n.pif
Access to the specified path, drive...is not allowed.

Combo-Fix will continue to run even with the above message on the screen, but it goes straight from doing the registry backup to running through the scan...no Recovery Console mention at all.





#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 28 January 2010 - 01:46 PM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 01 February 2010 - 10:31 AM

Finally! Boy, I had some trouble getting the GMER log saved...the computer kept locking up on me! Here you go.

Attached Files

  • Attached File  GMER.txt   15.44KB   2 downloads
  • Attached File  OTS.Txt   142.22KB   1 downloads


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 02 February 2010 - 06:48 AM

Ok, delete your version of ComboFix >> download a fresh one from below.. Run it and post the log here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 02 February 2010 - 09:30 AM

Here 'tis. Again, it didn't ask me to install the recovery console:

ComboFix 10-02-01.03 - tboykin 02/02/2010 8:21.4.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.767.554 [GMT -6:00]
Running from: c:\documents and settings\tboykin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 14:21 . 2010-02-02 14:21 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_390.dat
2010-01-28 19:28 . 2010-01-28 19:28 -------- d-----w- c:\program files\ERUNT
2010-01-28 17:47 . 2010-01-28 17:47 -------- d-----w- C:\Combo-Fix30740C
2010-01-28 15:58 . 2010-01-28 15:58 -------- d-----w- C:\Combo-Fix24340C
2010-01-28 14:27 . 2010-01-28 14:27 -------- d-----w- C:\Combo-Fix
2010-01-27 15:07 . 2010-01-27 15:07 -------- d-----w- c:\winnt\system32\0
2010-01-26 20:37 . 2005-06-11 04:02 12800 ----a-w- c:\winnt\system32\vncdrv.dll
2010-01-26 20:37 . 2004-06-26 19:22 4736 ----a-w- c:\winnt\system32\drivers\vncdrv.sys
2010-01-26 20:37 . 2004-06-26 19:21 5760 ----a-w- c:\winnt\system32\vnchelp.dll
2010-01-26 20:37 . 2010-01-26 20:37 -------- d-----w- c:\program files\UltraVNC
2010-01-26 18:28 . 2010-01-26 18:28 -------- d-----w- C:\unzipped

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2001-12-12 23:56 . 2001-12-12 23:55 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-27 01:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-01-27_16.33.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-28 19:29 . 2010-01-28 19:29 151552 c:\winnt\ERDNT\1-28-2010\Users\00000002\UsrClass.dat
+ 2010-01-28 19:29 . 2005-10-20 18:02 163328 c:\winnt\ERDNT\1-28-2010\ERDNT.EXE
+ 2010-01-28 19:29 . 2010-01-28 19:29 5599232 c:\winnt\ERDNT\1-28-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6351E77-BEE3-4052-8407-DE9AFD95E68E}]
c:\winnt\system32\mllmj.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2006-06-02 1003520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-05-29 122965]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-05-29 679936]
"TweakIE Scheduler"="" [BU]
"hpsjbmgr"="c:\scanjet\PrecisionScanLT\hpsjbmgr.exe" [BU]
"OBi Server"="" [BU]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-05-09 151597]
"SpyHunter"="" [BU]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-11 98304]
"LXBTCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\candreatta\Start Menu\Programs\Startup\
POW!.lnk - c:\program files\AnalogX\POW\pow.exe [2001-12-14 78852]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SonicWALL VPN Client.lnk - c:\program files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe [2004-5-14 49204]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-1-26 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawvu]
fccawvu.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj]
c:\winnt\system32\mllmj.dll [BU]

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 3:38 PM 359103]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [5/14/2004 12:26 PM 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [5/14/2004 12:26 PM 112696]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 7:28 AM 24652]
R2 vnccom;vnccom;c:\winnt\system32\drivers\vnccom.SYS [3/30/2009 4:11 PM 6016]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [5/14/2004 12:24 PM 36188]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [12/12/2001 5:28 PM 61712]

--- Other Services/Drivers In Memory ---

*Deregistered* - uxldipob
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{79F436C2-3CA2-45A4-A52E-694B23DFFA88} - c:\program files\TweakIE 3.0\TweakIE.exe
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: sxload.net
TCP: {0217649F-7BFE-43EC-B4A3-2B5C60C27804} = 192.168.168.11
TCP: {A0B14302-985C-49B9-8E7B-83AAB47606D1} = 192.168.168.5,192.168.168.11
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 08:26
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
hpsjbmgr = c:\scanjet\PrecisionScanLT\hpsjbmgr.exe????? +~???B?l?????+?(??????????????w????????,???????????????h???D?\|??W|????????L?@?p??? +~?????????????s???????????h???1n@???????B?an@???~???@?????s???`??? T@???????B?????????p???????h???I??????????? ????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(184)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1404)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2010-02-02 08:28:14
ComboFix-quarantined-files.txt 2010-02-02 14:28
ComboFix2.txt 2010-01-28 14:35
ComboFix3.txt 2010-01-27 16:37

Pre-Run: 7,360,446,464 bytes free
Post-Run: 7,359,545,344 bytes free

- - End Of File - - 1105F7B52F1C5713CDC60B358ED3A4A4


#10 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 02 February 2010 - 11:49 AM

I'm attaching the error message that I keep getting when I run Combo Fix. Not sure if it's why the Recovery Console won't come up for installation, but I thought I'd tell you about it just in case (if I haven't already).

Attached Files



#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 03 February 2010 - 07:59 AM

Ok, do you have the Windows 2000 cd? Thinking of replacing some files on your computer with the ones on the CD..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 03 February 2010 - 09:20 AM

Yes, I've got it.

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 03 February 2010 - 09:44 AM

Ok, include the CD first and tell me if you can find these file under the cd's i386 folder

comres.dl_
mspmsnsv.dl_


If yes, please copy both files into your Desktop.. Please confirm with me you successfully copy both files and we'll go from there smile.gif

Edited by fenzodahl512, 03 February 2010 - 09:44 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 03 February 2010 - 09:56 AM

Neither of those files was on the CD. mad.gif

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 03 February 2010 - 10:22 AM

Lets do this first..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

Rootkit::
c:\winnt\system32\mllmj.dll

DDS::
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: sxload.net

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6351E77-BEE3-4052-8407-DE9AFD95E68E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj]

DirLook::
c:\winnt\system32\0


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users