Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Phoenix Exploit Kit ( type 1112)


  • This topic is locked This topic is locked
2 replies to this topic

#1 serenegold

serenegold

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 26 July 2010 - 07:35 AM

My AVG free has put the file in question in qurantine, but I haven't been able to delete it from there. I don't know what else my be active, I don't have much experience here.
I ran the progs suggested in this thread to others. posted below.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 11:36:31.78 on Sat 07/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.161 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279627126453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
mASetup: {760B8973-48F7-40B2-B360-F7ABD8785E50} - rundll32.exe "c:\documents and settings\networkservice\application data\bitrix security\depto.dll", DllUnrer

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-16 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-17 135664]

=============== Created Last 30 ================

2010-07-23 17:14:04 0 d-----w- c:\docume~1\compaq~1\applic~1\Bitrix Security
2010-07-21 21:12:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-19 11:59:31 24960 ----a-r- c:\windows\system32\drivers\ATWPKT2.SYS
2010-07-19 11:59:27 33588 ----a-r- c:\windows\system32\drivers\wanatw4.sys
2010-07-18 16:42:48 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-18 16:42:45 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-18 16:42:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-18 16:42:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-18 15:35:19 0 d-----w- c:\windows\system32\CatRoot_bak
2010-07-17 18:25:48 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-07-17 18:24:59 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2010-07-17 18:24:58 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2010-07-17 18:22:29 28672 ------w- c:\windows\system32\verclsid.exe
2010-07-17 18:17:24 2181376 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-07-17 18:17:23 2137088 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-07-17 18:17:23 2058368 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-07-17 18:17:23 2016768 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-17 18:15:34 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-17 18:15:34 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-07-17 17:23:19 0 d-----w- c:\program files\common files\xing shared
2010-07-17 13:33:55 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-17 13:33:55 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-17 13:33:54 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-07-17 13:33:53 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-17 13:33:52 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-17 13:33:52 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-07-17 13:33:48 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-07-17 08:01:32 0 d-----w- c:\windows\system32\PreInstall
2010-07-16 23:37:27 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-16 23:37:20 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-16 23:06:27 0 d--h--w- C:\$AVG
2010-07-16 23:05:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 23:05:35 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 23:05:26 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-16 23:05:06 0 d-----w- c:\windows\system32\drivers\Avg
2010-07-16 23:01:49 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-16 22:44:48 0 d-sh--r- C:\cmdcons
2010-07-16 22:44:14 0 d-----w- c:\windows\setupupd
2010-07-16 21:48:40 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-16 21:48:27 1858 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ED866AA-ABA SR1611NX NA540_YC_0Pres_QCNH543_E54NAheRED4_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.08_T050913_WXH2_L409_M447_J80_7AMD_8Sempron_91.79_#060309_N10EC8139_Z10573052_G10025954.MRK
2010-07-16 21:45:48 0 d-----w- c:\docume~1\compaq~1\applic~1\Intuit
2010-07-16 21:45:47 0 d-----w- c:\docume~1\compaq~1\applic~1\Symantec
2010-07-16 21:41:56 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-16 14:56:26 0 d--h--w- c:\windows\msdownld.tmp
2010-07-16 13:35:21 176766 ------w- c:\windows\hpwins19.dat.temp
2010-07-16 13:35:20 997 ------w- c:\windows\hpwmdl19.dat.temp
2010-07-14 18:02:05 0 d-sh--w- c:\documents and settings\compaq_owner\IECompatCache
2010-06-26 16:11:26 0 d-sh--w- c:\documents and settings\compaq_owner\PrivacIE
2010-06-26 16:00:54 0 d-sh--w- c:\documents and settings\compaq_owner\IETldCache
2010-06-26 14:41:56 0 d-sh--w- c:\documents and settings\compaq_owner\UserData
2010-06-26 13:54:52 0 d-----w- c:\docume~1\compaq~1\applic~1\HPQ
2010-06-25 21:05:50 0 d-----w- c:\docume~1\compaq~1\applic~1\WeatherBug
2010-06-25 19:09:58 0 d-----w- c:\windows\setup.pss
2010-06-25 18:46:25 0 d-----w- c:\docume~1\compaq~1\applic~1\AOL
2010-06-25 16:21:12 0 d-----w- c:\program files\ATT-HSI

==================== Find3M ====================

2010-07-17 17:22:21 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-17 17:22:21 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-14 14:30:28 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-10 16:50:45 162763 -c--a-w- c:\windows\hpoins28.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 10:41:53 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-05-06 10:41:52 611840 ------w- c:\windows\system32\dllcache\mstime.dll
2010-05-06 10:41:52 5950976 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-05-06 10:41:52 206848 ------w- c:\windows\system32\dllcache\occache.dll
2010-05-06 10:41:52 1209344 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-05-06 10:41:51 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-05-06 10:41:50 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-05-06 10:41:48 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\dllcache\win32k.sys
2007-09-01 18:28:50 1583 -c--a-w- c:\program files\qsetup.html
2006-04-12 01:23:04 26922 -c--a-w- c:\program files\moviepass Terms.html

============= FINISH: 11:37:31.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:12 PM

Posted 04 August 2010 - 08:21 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:12 PM

Posted 09 August 2010 - 06:16 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users