Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infostealler Virus, I Searched, What Is Needed To Be Deleted


  • Please log in to reply
1 reply to this topic

#1 mamavirus

mamavirus

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 27 April 2007 - 06:19 PM

i have had this info stealer since last week . driving me nuts. i have read similar post and hv followed the directions but i do not know what needs to be deleted. i have already downloaded combofix and ran the program. But i do not know what i need to delete or fix with hijack this before running the avenger.
This is my log combofix.txt log



ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\mama\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\oppnn.dll
C:\WINDOWS\system32\nnppo.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\U29ubmllc2lt\command.exe
C:\WINDOWS\U29ubmllc2lt\asappsrv.dll
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whAgent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\b122.exe
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\webhancer
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\mama
C:\qoobox\purity\C\DOCUME~1\mama\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\mama\MYDOCU~1\DOBE~1
C:\qoobox\purity\C\Program Files\SCURIT~1
C:\qoobox\purity\C\WINDOWS\YSTEM~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


2007-04-26 10:16 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\Help
2007-04-25 12:40 60,928 --a------ C:\WINDOWS\system32\ziia.dll
2007-04-25 12:40 2 --a------ C:\WINDOWS\system32\winticomsv.exe
2007-04-25 12:40 <DIR> d-------- C:\Program Files\s?curity
2007-04-25 08:33 <DIR> d-------- C:\WINDOWS\uzfk
2007-04-25 08:33 <DIR> d-------- C:\Program Files\Common Files\uzfk
2007-04-25 08:18 <DIR> d--hs---- C:\WINDOWS\U29ubmllc2lt
2007-04-23 10:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-23 04:52 <DIR> d-------- C:\VundoFix Backups
2007-04-22 21:43 <DIR> d-------- C:\WINDOWS\pss
2007-04-22 18:41 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-22 18:41 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-04-22 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-22 15:45 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\SpywareBot
2007-04-22 15:16 <DIR> d-------- C:\Program Files\SymNetDrv
2007-04-22 14:58 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-22 14:58 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2007-04-22 14:58 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Symantec
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-22 14:57 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-22 14:57 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\Symantec
2007-04-22 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-22 14:56 49,204 --a------ C:\WINDOWS\system32\iacmrfrn.dll
2007-04-22 14:15 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-04-22 14:15 <DIR> d-------- C:\Program Files\DivX
2007-04-22 13:54 <DIR> d-------- C:\DOCUME~1\mama\APPLIC~1\vlc
2007-04-22 13:50 <DIR> d-------- C:\Program Files\VideoLAN
2007-04-22 13:02 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-22 12:55 73,728 -ra------ C:\WINDOWS\system32\CNMCP53.exe
2007-04-22 12:55 5,632 --a------ C:\WINDOWS\system32\CNMVS53.DLL
2007-04-22 12:55 100,352 --a------ C:\WINDOWS\system32\CNMLM53.DLL
2007-04-22 12:55 <DIR> d--h----- C:\BJPrinter
2007-04-22 12:22 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-04-22 12:22 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-04-22 12:22 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-22 12:22 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-22 12:22 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-22 12:20 <DIR> d-------- C:\Program Files\Winamp
2007-04-22 12:08 <DIR> d--hs---- C:\RECYCLER
2007-04-22 12:04 <DIR> d---s---- C:\DOCUME~1\mama\UserData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 16:21 -------- d-------- C:\DOCUME~1\mama\APPLIC~1\trevoli
2007-03-20 19:39 -------- d-------- C:\Program Files\microsoft activesync
2007-03-20 19:36 -------- d-------- C:\Program Files\Common Files\l&h
2007-03-11 23:29 -------- d-------- C:\Program Files\photo finale
2007-03-11 23:22 -------- d-------- C:\Program Files\Common Files\nero
2007-03-11 23:12 -------- d-------- C:\Program Files\messenger
2007-03-11 22:42 -------- d--h----- C:\Program Files\windowsupdate
2007-03-11 22:38 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-11 22:37 0 -rahs---- C:\MSDOS.SYS
2007-03-11 22:37 0 -rahs---- C:\IO.SYS
2007-03-11 22:37 0 --a------ C:\CONFIG.SYS
2007-03-11 22:37 0 --a------ C:\AUTOEXEC.BAT
2007-03-11 22:35 -------- d-------- C:\Program Files\online services
2007-03-11 22:34 -------- d-------- C:\Program Files\movie maker
2007-03-11 22:34 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-11 22:33 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-11 22:32 -------- d-------- C:\Program Files\windows nt
2007-03-11 22:32 -------- d-------- C:\Program Files\msn gaming zone
2007-03-11 14:17 -------- d-------- C:\Program Files\Common Files\speechengines
2007-03-11 14:17 -------- d-------- C:\Program Files\Common Files\odbc
2007-03-11 14:16 62 --ahs---- C:\DOCUME~1\mama\APPLIC~1\desktop.ini
2007-02-19 04:01 252356 --a------ C:\WINDOWS\b128.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{1557B435-8242-4686-9AA3-9265BF7525A4}"="C:\WINDOWS\System32\iacmrfrn.dll"
"{1995AF3B-39D3-3B55-A33D-6AE33D94FCE8}"="C:\WINDOWS\System32\ziia.dll"
"{BDF3E430-B101-42AD-A544-FADC6B084872}"="C:\Program Files\Norton AntiVirus\NavShExt.dll"
"{FDD62CBB-33CC-409C-B259-002D684808C9}"="C:\WINDOWS\System32\efcyx.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"uzfk"="C:\\PROGRA~1\\COMMON~1\\uzfk\\uzfkm.exe"
"Ouuu"="\"C:\\DOCUME~1\\mama\\MYDOCU~1\\DOBE~2\\fast.exe\" -vt yazb"
"Qddg"="\"C:\\Program Files\\s?curity\\l?ass.exe\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareBot"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 18:39:49
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-27 18:39:51
C:\ComboFix-quarantined-files.txt ... 07-04-27 18:39

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:03:02 AM

Posted 28 April 2007 - 12:17 AM

The best course of action would be :

Preparation Guide For Use Before Posting A Hijackthis Log and post a log in the HJT forum NOT HERE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users