Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

generic17.bkcs and spamtool.fys


  • This topic is locked This topic is locked
2 replies to this topic

#1 colin smith

colin smith

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 June 2010 - 03:26 PM

Hi There,

Please can you help ?

I am running AVG 9 and when this scans I find the following trojans. generic17.bkcs and spamtool.fys
All the internet sevices have stopped and I can't see my LAN CARD(TCP/IP and DHCP client etc)
I have tried starting in safe mode and run malwarebytes to no avail.
I still can't connect to the web and I can't start the network services
I am running windows XP Media Centre Edition SP3.
I know it's not correct but I read other threads on this subject on this website and have downloaded and run combofix
( out of pure frustration)

Here is the text from the Log File. I would be so grateful of any help.

ComboFix 10-06-01.01 - Colin F. Smith 01/06/2010 21:13:20.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1664 [GMT 1:00]
Running from: c:\documents and settings\Colin F. Smith\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 20:07 . 2009-11-07 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-01 20:02 . 2010-06-01 20:01 -------- d-----w- c:\program files\Registry Easy
2010-05-26 20:37 . 2010-05-26 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-26 20:37 . 2010-05-26 20:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-26 20:37 . 2010-05-26 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-05-26 20:37 . 2010-05-26 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-26 20:24 . 2010-05-08 20:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-26 20:00 . 2010-05-26 20:00 -------- d-----w- c:\documents and settings\Colin F. Smith\Application Data\Malwarebytes
2010-05-26 20:00 . 2010-05-26 20:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 20:00 . 2010-05-26 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-26 19:46 . 2010-05-26 19:39 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 19:46 . 2010-05-26 19:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 19:39 . 2010-05-26 19:39 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 19:39 . 2010-05-26 19:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-26 19:34 . 2010-05-26 19:34 63488 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 19:34 . 2010-05-26 19:34 52224 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 19:34 . 2010-05-26 19:34 117760 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 19:33 . 2010-05-26 19:33 -------- d-----w- c:\documents and settings\Colin F. Smith\Application Data\SUPERAntiSpyware.com
2010-05-26 19:33 . 2010-05-26 19:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-26 19:04 . 2007-05-02 05:50 -------- d-----w- c:\program files\Google
2010-05-26 18:11 . 2010-05-26 18:11 -------- d-----w- c:\program files\Belkin
2010-05-26 18:11 . 2006-04-22 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-13 08:03 . 2006-04-22 14:35 -------- d-----w- c:\program files\Modem Helper
2010-05-11 16:25 . 2010-05-12 06:41 3299328 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2010-05-11 14:19 . 2006-05-01 08:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-11 07:56 . 2007-06-25 17:21 77827983 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-05-11 06:17 . 2006-04-28 09:17 -------- d-----w- c:\program files\Dl_cats
2010-05-10 16:56 . 2010-05-11 06:16 3442176 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2010-05-08 21:07 . 2007-05-09 22:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-08 20:05 . 2010-05-08 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-29 14:39 . 2010-05-26 20:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-05-26 20:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 09:22 . 2010-04-22 11:35 4641792 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2010-04-21 20:46 . 2010-04-21 20:46 82697 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_04_21_21_28_10_small.dmp.zip
2010-03-26 09:33 . 2010-04-11 10:14 1496064 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 09:33 . 2010-04-11 10:14 43008 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 09:33 . 2010-04-11 10:14 339456 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 09:32 . 2010-04-11 10:14 346112 ----a-w- c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-10 06:15 . 2005-08-16 03:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2006-05-07 20:33 . 2006-05-05 12:14 88 --sh--r- c:\windows\system32\74CFFA2F08.sys
2006-05-07 20:33 . 2006-05-05 12:14 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-10 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

c:\windows\System32\drivers\ndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 73728]

c:\documents and settings\Jane Smith\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2005-8-16 60416]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HostingClientShortcut.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HostingClientShortcut.lnk
backup=c:\windows\pss\HostingClientShortcut.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Colin F. Smith^Start Menu^Programs^Startup^Outlook Express.lnk]
path=c:\documents and settings\Colin F. Smith\Start Menu\Programs\Startup\Outlook Express.lnk
backup=c:\windows\pss\Outlook Express.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-427]
2008-07-14 05:09 351480 ----a-w- c:\progra~1\Comodo\CBOClean\BOC427.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 06:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 04:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
2005-10-20 18:40 430080 ----a-w- c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 13:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-14 12:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-14 12:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-14 12:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 09:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 09:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2006-02-06 18:52 462935 ----a-w- c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-12 18:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-04-22 14:40 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-08 17:41 2828184 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 16:48 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-06 16:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-17 19:46 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2005-08-31 17:11 2478080 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 16:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-02-15 23:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 68168]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [24/12/2008 12:32 73464]
S1 bxvgrgfy;bxvgrgfy;\??\c:\windows\system32\drivers\bxvgrgfy.sys --> c:\windows\system32\drivers\bxvgrgfy.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.newsnow.co.uk/h/Sport/Football/League+One/Colchester+United
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.newsnow.co.uk/h/Sport/Football/League+One/Colchester+United
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\Colin F. Smith\Application Data\Mozilla\Firefox\Profiles\ov0v6378.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 21:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(324)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-01 21:26:42
ComboFix-quarantined-files.txt 2010-06-01 20:26
ComboFix2.txt 2010-06-01 19:52
ComboFix3.txt 2010-06-01 19:37
ComboFix4.txt 2010-06-01 19:10

Pre-Run: 57,160,445,952 bytes free
Post-Run: 57,127,743,488 bytes free

- - End Of File - - CB4BAF0888C843E1F2A9ADA33B6D8A9B


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 PM

Posted 03 June 2010 - 07:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 PM

Posted 08 June 2010 - 08:01 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users