Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Farmer62

Farmer62

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 22 April 2007 - 09:09 PM

Hi My first post. Maybe someone can tell me how to get rid of whatever I have.
has take IE7 homepage over. I can brouse, but cant chanfe homepage.
Logfile of HijackThis v1.99.1
Scan saved at 8:59:00 PM, on 4/22/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\SysWOW64\ctfmon.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files (x86)\ATI Technologies\ATI.ACE\CLI.EXE
D:\Program Files (x86)\QuickTime\qttask.exe
D:\Program Files (x86)\iTunes\iTunesHelper.exe
D:\WINDOWS\SysWOW64\CTSvcCDA.EXE
D:\Program Files (x86)\iPod\bin\iPodService.exe
D:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {D34F5D71-99E4-4D96-91CA-F4104F69B8AE} - D:\Program Files (x86)\Video AX Object\bpvol.dll
O3 - Toolbar: Protection Bar - {F0993251-2512-4710-AF6E-0A13EA199D02} - D:\Program Files (x86)\Video AX Object\splug.dll
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files (x86)\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files (x86)\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] D:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IATIACA.EXE /FU "D:\WINDOWS\TEMP\E_S96.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files (x86)\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files (x86)\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175365298015
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62A15133-EF6F-426E-AE2E-66BC3FF32924}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: dimsntfy - D:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - D:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2saag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - D:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - D:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - D:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - D:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - D:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - D:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - D:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - D:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - D:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - D:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - D:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Thanks all
farmer62

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:56 AM

Posted 23 April 2007 - 07:10 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Farmer62

Farmer62
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 24 April 2007 - 08:26 AM

Thanks Sam. This is the report:

SmitFraudFix v2.171

Scan done at 8:13:41.40, Tue 04/24/2007
Run from C:\Documents and Settings\Larry Womble\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Larry Womble


C:\Documents and Settings\Larry Womble\Application Data


Start Menu


C:\DOCUME~1\LARRYW~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13C70B95-DBAB-43BF-BCE5-FE597C171E0E}: NameServer=68.94.156.1,68.94.157.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{73AB21E4-E8A3-4758-8972-1C47B3DCA285}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13C70B95-DBAB-43BF-BCE5-FE597C171E0E}: NameServer=68.94.156.1,68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{73AB21E4-E8A3-4758-8972-1C47B3DCA285}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{13C70B95-DBAB-43BF-BCE5-FE597C171E0E}: NameServer=68.94.156.1,68.94.157.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{73AB21E4-E8A3-4758-8972-1C47B3DCA285}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


Scanning for wininet.dll infection


End

Thanks

Farmer

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:56 AM

Posted 24 April 2007 - 08:02 PM

Well that doesn't look too bad. Let's take a look at another log.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Farmer62

Farmer62
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 25 April 2007 - 09:25 AM

Hi Sam
Here is the log requested. It returned 2

07-03-29 22:48	  12800	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\{34258~1\UnInstall.exe.vir
07-03-29 22:50	  12288	--a------	C:\Qoobox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir
07-04-21 10:48	  98816	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\WinFlyer32.dll.vir
07-04-21 11:21	  19720	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\dplk32.dll.vir
07-04-24 22:55	  2188	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Client IP-IPX.reg.cf
07-04-24 22:55	  854	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CLIENT_IP-IPX.reg.cf
07-04-24 22:55	  870	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf


Folder PATH listing
Volume serial number is B425-8AD8
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |   +---Common Files
	|   |   |   \---{34258~1
	|   |   |		   UnInstall.exe.vir
	|   |   |		   
	|   |   \---Ipwindows
	|   |		   UnInstall.exe.vir
	|   |		   
	|   \---WINDOWS
	|	   \---system32
	|			   dplk32.dll.vir
	|			   WinFlyer32.dll.vir
	|			   
	\---Registry_backups
			LEGACY_CLIENT_IP-IPX.reg.cf
			LEGACY_NETWORK_MONITOR.reg.cf
			services_Client IP-IPX.reg.cf

the second

"Larry Womble" - 07-04-24 22:52:48 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Larry Womble\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\WinFlyer32.dll
C:\WINDOWS\system32\dplk32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\Common Files\{34258~1\UnInstall.exe
C:\Program Files\ipwindows
C:\Program Files\Common Files\{34258~1
C:\Program Files\Common Files\{B4258~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Client IP-IPX
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-03-24 to 2007-04-24 ))))))))))))))))))))))))))))))))))


2007-04-24 08:11 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-24 08:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-24 08:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-24 08:08 872,930 --a------ C:\SmitfraudFix.exe
2007-04-24 07:59 <DIR> d-------- C:\WINDOWS\SmitfraudFix
2007-04-22 11:49 3,276 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-21 11:21 26,754 --a------ C:\WINDOWS\system32\ssqrs.exe
2007-04-21 10:48 8,305 --a------ C:\WINDOWS\system32\ddcccbb.dll
2007-04-21 09:00 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-04-21 08:59 <DIR> d-------- C:\ATI
2007-04-21 08:36 <DIR> d-------- C:\Program Files\ATI Technologies
2007-03-30 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Maxtor
2007-03-30 18:40 <DIR> d-------- C:\Program Files\Maxtor
2007-03-29 23:22 <DIR> d--hs---- C:\WINDOWS\TGFycnkgV29tYmxl
2007-03-29 22:38 <DIR> d-------- C:\Program Files\WinUHA
2007-03-29 21:05 <DIR> d-------- C:\Program Files\Flawwindowcoal
2007-03-29 21:05 <DIR> d-------- C:\My Downloads
2007-03-29 21:05 <DIR> d-------- C:\DOCUME~1\LARRYW~1\APPLIC~1\Flawwindowcoal
2007-03-29 21:04 <DIR> d-------- C:\Program Files\BitGrabber


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-24 22:55 384 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000000-00000000-0000000e-00001102-00000004-20021102}.dat
2007-04-24 22:55 384 --a------ C:\WINDOWS\system32\dvcstate-{00000000-00000000-0000000e-00001102-00000004-20021102}.dat
2007-04-22 15:22 -------- d-------- C:\DOCUME~1\LARRYW~1\APPLIC~1\utorrent
2007-04-21 23:02 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-04-21 09:00 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 20:58 315392 --a------ C:\WINDOWS\system32\atidemgx.dll
2007-03-14 20:57 267776 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-03-14 20:57 1986560 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-14 20:55 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-03-14 20:50 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-03-14 20:50 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2007-03-14 20:50 122880 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-03-14 20:50 114688 --a------ C:\WINDOWS\system32\oemdspif.dll
2007-03-14 20:49 114688 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-03-14 20:48 450560 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-03-14 20:47 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2007-03-14 20:40 2820544 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-03-14 20:29 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-03-14 20:29 1315712 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-03-14 20:19 5402624 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-03-14 20:16 258048 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-03-14 20:14 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-03-14 20:10 356352 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-06 17:04 143676 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-02-05 15:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 23:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 23:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 16:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 18:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-30 00:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 00:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 00:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 00:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 00:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 00:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 23:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 23:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 23:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 23:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-29 23:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 23:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB001\" /M \"Stylus CX3800\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"MaxtorOneTouch"="C:\\Program Files\\Maxtor\\OneTouch\\utils\\Onetouch.exe"
"mxomssmenu"="\"C:\\Program Files\\Maxtor\\OneTouch Status\\maxmenumgr.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /M \"Stylus CX3800\" /EF \"HKCU\""
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"IsoBody"="C:\\DOCUME~1\\LARRYW~1\\APPLIC~1\\FLAWWI~1\\winplatform.exe"
@=""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /M \"Stylus CX3800\" /EF \"HKCU\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a619030-6b50-11da-bae7-806d6172696f}]
Shell\AutoRun\command D:\\SETUP.EXE /AUTORUN
Shell\dxsetup\command D:\\DIRECTX\DXSETUP.EXE
Shell\Register\command D:\\EXTRAS\RUNSHELL.EXE HTTP://WWW.MICROSOFT.COM/GAMES/PRODUCT_REG...HTSIMULATOR2004
Shell\setup\command D:\\SETUP.EXE
Shell\Web\command D:\\EXTRAS\RUNSHELL.EXE HTTP://WWW.MICROSOFT.COM/GAMES/FLIGHTSIMULATOR

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6a28f82-df17-11db-93f3-0013d48be960}]
Shell\AutoRun\command G:\Launch.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-24 22:58:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-24 22:59:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-24 22:59

Thanks for your help
Farmer

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:56 AM

Posted 25 April 2007 - 09:37 AM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:56 AM

Posted 06 May 2007 - 08:16 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users