Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Jupillites - Appears To Be Variant


  • This topic is locked This topic is locked
43 replies to this topic

#1 Lively

Lively

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 30 October 2006 - 04:47 PM

Trojan Jupillites – Appears to be a variant.

I’ve ran Panda, Ad-Aware and Spybot several times – they all come up clean now. Also ran in “safe” mode and manually removed mal-ware in safe mode using the cmd prompt. Used Bit Defender (it was running simultaneously with Panda, fixed that little conflict – but it keeps auto loading so need to remove it) and I have used all of the Avert Stingers that McAffee has to offer. I also ran CWShredder, had three instances of that as well.

What I know about the Trojan, it’s relatively new, found on Oct. 13, 2006. Norton is supposed to catch it (laptop was running Norton at the time of the breach on Oct. 24th) but it appears to be a variant. I found it accidentally, it had edited the Device Manager registry, I was getting a “Found New Hardware” message, and there is no new hardware on the machine. I did manually delete several .exe and .dll files that are associated with the Trojan, but it still seems to be running. On every reboot, something tries to connect to the internet, I’ve kept it offline for the last few days.

The Registry entry it created is: ROOT\LEGACY_MZU_RK\0000

I’m not unfamiliar with removing malware from a system, but I normally run Hi-Jack This on a system before it goes bad and kick the acceptable things into the “ignore” list, it makes life so much easier. But, this isn’t my laptop. I hope someone can help, I really don’t want to have to send this laptop to the IT dept, it’ll be weeks before they send it back!




Logfile of HijackThis v1.99.1
Scan saved at 3:46:46 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Security Software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Deleted Info
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ywpqdsy.exe
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C47C53F-9C01-4567-96C6-9EE84E173D54}: NameServer = Deleted Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: Domain = Deleted Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: NameServer = Deleted Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: Domain = Deleted Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: NameServer = Deleted Info
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = Deleted Info
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\system32\3339_32.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: IEFilter - {AE0289E2-FBF4-4978-BCB8-A64B53AC3BD1} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\system32\llmmg.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 30 October 2006 - 05:33 PM

Welcome back to Bleeping Computer, Lively.

1. Download this file:
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by stonangel, 30 October 2006 - 05:34 PM.

Posted ImagePosted Image

Olivier

#3 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 08:13 AM

As requested, and thank you!


FRICOVSKY - 06-10-31 7:59:54.67 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Security Software"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))


2006-10-25 20:39 593,811 ---hs---- C:\WINDOWS\system32\cbeeg.bak2
2006-10-25 10:37 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2006-10-25 08:56 529,658 ---hs---- C:\WINDOWS\system32\cbeeg.ini2
2006-10-24 23:27 131,072 --a------ C:\WINDOWS\system32\rkupginstaller.exe
2006-10-24 20:38 528,536 ---hs---- C:\WINDOWS\system32\cbeeg.bak1
2006-10-24 20:36 688,180 ---hs---- C:\WINDOWS\system32\geebc.dll
2006-10-24 20:25 3,584 -r-hs---- C:\WINDOWS\system32\z222775263140.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-31 08:00 -------- d-------- C:\Program Files\Common Files
2006-10-30 11:28 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-30 09:00 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-27 11:10 -------- d-------- C:\Program Files\Softwin
2006-10-27 11:10 -------- d-------- C:\Program Files\Common Files\Softwin
2006-10-27 08:07 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 08:05 -------- d-------- C:\Program Files\GhostSurf 2005
2006-10-26 19:20 -------- d-------- C:\Program Files\Internet Explorer
2006-10-26 19:16 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 19:16 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 17:06 -------- d-------- C:\Program Files\QuickTime
2006-10-26 15:17 -------- d-------- C:\Program Files\WinZip
2006-10-26 15:11 -------- d-------- C:\Program Files\ItsDeductible2005
2006-10-26 15:09 -------- d-------- C:\Program Files\HPQ
2006-10-26 15:08 -------- d-------- C:\Program Files\Kodak
2006-10-26 13:25 -------- d-------- C:\Program Files\InterMute
2006-10-26 09:14 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Lavasoft
2006-10-25 13:40 -------- d-------- C:\Documents and Settings\STAFF\Application Data\AdobeUM
2006-10-25 10:36 -------- d-------- C:\Program Files\Panda Software
2006-10-25 10:33 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Symantec
2006-10-25 08:50 -------- d-------- C:\Program Files\TurboTax
2006-10-24 20:35 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Microsoft
2006-09-29 05:11 2401 --a------ C:\WINDOWS\system32\drivers\AlKernel.sys
2006-09-22 09:38 53248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 09:36 53248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AClntUsr"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,b7,00,00,00,00,00,00,00,de,02,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"="DCOM Server 2234"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 3339"="{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"IEFilter"="{AE0289E2-FBF4-4978-BCB8-A64B53AC3BD1}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqqo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-31 8:02:06.40
C:\ComboFix.txt ... 06-10-31 08:02
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#4 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 31 October 2006 - 08:42 AM

Hi Lively,

* Please keep only on antivirus program at a time on your computer.

* Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\cbeeg.bak2
    C:\WINDOWS\system32\cbeeg.ini2
    C:\WINDOWS\system32\rkupginstaller.exe
    C:\WINDOWS\system32\cbeeg.bak1
    C:\WINDOWS\system32\geebc.dll
    C:\WINDOWS\system32\z222775263140.exe
    C:\WINDOWS\109uninst.exe
    C:\WINDOWS\uni_7eh.exe
    C:\WINDOWS\system32\ywpqdsy.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Post back a new hijackthis log, please.
Posted ImagePosted Image

Olivier

#5 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 09:26 AM

New HiJack This Log, I did get "Pending File Rename Operation Registry Data has been removed by External Process"

Keyboard is sluggish and the device manager still is showing the "unknown" device, properties show the Instance ID as ROOT/LEGACY_MZU_RK/0000

I don't run the two anti-virus programs together, I keep meaning to remove bit-defender and I will after this post - my "hail mary" hoping that some program out there could remove the trojan :-)


Logfile of HijackThis v1.99.1
Scan saved at 9:09:04 AM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\Security Software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ywpqdsy.exe
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C47C53F-9C01-4567-96C6-9EE84E173D54}: NameServer = DelInfo
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: Domain = DelInfo
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: NameServer = Del Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: Domain = Del Info
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: NameServer = Del Info
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = Del Info
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\system32\3339_32.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: IEFilter - {AE0289E2-FBF4-4978-BCB8-A64B53AC3BD1} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\system32\llmmg.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#6 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 31 October 2006 - 09:59 AM

Hi Lively,

Could you please give us more information about this program VSAdd-in as it was not showing in your previous log?
Posted ImagePosted Image

Olivier

#7 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 10:29 AM

VS-Add in was created today at 8:59, the time corresponds with a pop-up I got when I put the laptop online. I just did a search of all files created today, it's reinfected with all sorts of garbage. I think that until I (we) are able to disable Jupillites, it's open for attack.

I did remove Bit-ware.

I'm thinking I should disable this phantom device, try and edit the registry? I've never heard of, nor can I find anything about a Trojan (or any other virus for that matter) disguising itself as hardware.
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#8 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 31 October 2006 - 10:37 AM

Thanks Lively :thumbsup:

Lets go ahead.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\ywpqdsy.exe
c:\windows\system32\ldcore.dll
C:\WINDOWS\system32\Service.exe

Folders to delete:
C:\Program Files\VSAdd-in

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqqo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log and a new combofix by using Add/Reply

Edited by stonangel, 31 October 2006 - 10:38 AM.

Posted ImagePosted Image

Olivier

#9 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 12:00 PM

First attempt of Avenger was aborted, on the second attempt I took the laptop offline and that time it did not encounter any errors, the log is below – but it only booted once, no device was removed. After the reboot, it started looking for the drivers for the unknown device. I went into the device manager and disabled it and rebooted the system, it stayed disabled. Ran ComboFix and HiJackThis, logs are below.



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmokptsi

*******************

Script file located at: \??\C:\WINDOWS\system32\jivotvfo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\ywpqdsy.exe not found!
Deletion of file C:\WINDOWS\system32\ywpqdsy.exe failed!

Could not process line:
C:\WINDOWS\system32\ywpqdsy.exe
Status: 0xc0000034



File c:\windows\system32\ldcore.dll not found!
Deletion of file c:\windows\system32\ldcore.dll failed!

Could not process line:
c:\windows\system32\ldcore.dll
Status: 0xc0000034



File C:\WINDOWS\system32\Service.exe not found!
Deletion of file C:\WINDOWS\system32\Service.exe failed!

Could not process line:
C:\WINDOWS\system32\Service.exe
Status: 0xc0000034

Folder C:\Program Files\VSAdd-in deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqqo deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


FRICOVSKY - 06-10-31 11:37:54.75 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Security Software"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))


2006-10-31 08:59 60,436 --a------ C:\WINDOWS\system32\eeswcwpv.dll
2006-10-31 08:59 110,612 --a------ C:\WINDOWS\system32\pohmngyr.exe
2006-10-25 20:39 594,954 ---hs---- C:\WINDOWS\system32\cbeeg.bak2
2006-10-25 10:37 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2006-10-25 08:56 594,487 ---hs---- C:\WINDOWS\system32\cbeeg.ini2
2006-10-24 23:27 131,072 --------- C:\WINDOWS\system32\rkupginstaller.exe
2006-10-24 20:38 528,536 --------- C:\WINDOWS\system32\cbeeg.bak1
2006-10-24 20:36 688,180 --------- C:\WINDOWS\system32\geebc.dll
2006-10-24 20:25 3,584 --------- C:\WINDOWS\system32\z222775263140.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-31 09:26 -------- d-------- C:\Program Files\Common Files\Softwin
2006-10-31 08:59 -------- d-------- C:\Documents and Settings\STAFF\Application Data\SearchToolbarCorp
2006-10-31 08:00 -------- d-------- C:\Program Files\Common Files
2006-10-30 11:28 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-30 09:00 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-27 08:07 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 08:05 -------- d-------- C:\Program Files\GhostSurf 2005
2006-10-26 19:20 -------- d-------- C:\Program Files\Internet Explorer
2006-10-26 19:16 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 19:16 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 17:06 -------- d-------- C:\Program Files\QuickTime
2006-10-26 15:17 -------- d-------- C:\Program Files\WinZip
2006-10-26 15:11 -------- d-------- C:\Program Files\ItsDeductible2005
2006-10-26 15:09 -------- d-------- C:\Program Files\HPQ
2006-10-26 15:08 -------- d-------- C:\Program Files\Kodak
2006-10-26 13:25 -------- d-------- C:\Program Files\InterMute
2006-10-26 09:14 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Lavasoft
2006-10-25 13:40 -------- d-------- C:\Documents and Settings\STAFF\Application Data\AdobeUM
2006-10-25 10:36 -------- d-------- C:\Program Files\Panda Software
2006-10-25 10:33 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Symantec
2006-10-25 08:50 -------- d-------- C:\Program Files\TurboTax
2006-10-24 20:35 -------- d-------- C:\Documents and Settings\STAFF\Application Data\Microsoft
2006-09-29 05:11 2401 --a------ C:\WINDOWS\system32\drivers\AlKernel.sys
2006-09-22 09:38 53248 --------- C:\WINDOWS\109uninst.exe
2006-09-22 09:36 53248 --------- C:\WINDOWS\uni_7eh.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AClntUsr"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,b7,00,00,00,00,00,00,00,de,02,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"="DCOM Server 2234"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 3339"="{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"IEFilter"="{AE0289E2-FBF4-4978-BCB8-A64B53AC3BD1}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-31 11:40:01.14
C:\ComboFix.txt ... 06-10-31 11:40
C:\ComboFix2.txt ... 06-10-31 08:02


Logfile of HijackThis v1.99.1
Scan saved at 11:49:46 AM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Security Software\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ywpqdsy.exe
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C47C53F-9C01-4567-96C6-9EE84E173D54}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE462338-6458-402B-A3B6-4F28248E50D0}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{F156A6E3-1729-49D4-814D-A145D535BB96}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\system32\3339_32.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: IEFilter - {AE0289E2-FBF4-4978-BCB8-A64B53AC3BD1} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\system32\llmmg.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#10 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 01:01 PM

If I'm reading the logs right, we're taking one step forward and five steps back every time I connect to the internet. If we have to get a bit :thumbsup: and take a risk or two to remove this, I've got the go ahead - there isn't anything on the computer that is critical.
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#11 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 31 October 2006 - 01:23 PM

Hi Lively,

It's strange...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new hijackthis log, please.

Posted ImagePosted Image

Olivier

#12 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 31 October 2006 - 01:44 PM

Nix below - Security settings were disallowing, reset them. But the part about the partially hijacked page is still impt.

Most peculiar, Mama!

Okay, I made sure that all the pop-up blockers were disabled but I can't run Kaspersky Online Scanner. I tried from my computer and it came up just fine. As a matter of fact the page was partially hi-jacked. This is going to blow your mind (wish I had the presence of mind to have capture it as a screenshot) it only hijcked the menu on the left of the page to "WinAntiVirus" or something similar, there was no discernable url change.

Weren't you bored with all the same-old same-old malware issues? Seems like someone with far too much time on his hands had himself a bit of fun.

Edited by Lively, 31 October 2006 - 01:56 PM.

Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#13 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 31 October 2006 - 05:49 PM

Hi Lively,

* Please download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
Posted ImagePosted Image

Olivier

#14 Lively

Lively
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Virginia
  • Local time:09:35 AM

Posted 01 November 2006 - 09:32 AM

Sorry, basically had to start over again. Just being online the short time needed to post logs riddled the machine with more problems. But, the interesting things I've found out about this Malware:

None of the programs were able to remove the VSAAd-in, I went in and removed it in safe mode from cmd promt, it is gone now. Also had to do the same for eeswcwpv.dll.

The two really baffling things this has done, it created an entire new profile called "LocalService." And, when I was trying to remove the geebc.dll manually, and in safe mode, it would not allow me - because it was running!

If for nothing else, this is an extreme learning experience.

Will post again - soon I hope - with as clean as I can get logs.
Better to remain silent and be thought a fool than to speak out and remove all doubt - Abe Lincoln

#15 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:04:35 PM

Posted 01 November 2006 - 09:44 AM

Hi Lively,

* Could you post back a fresh hijackthis log, please?
Posted ImagePosted Image

Olivier




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users