Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Owns Safe Mode


  • This topic is locked This topic is locked
12 replies to this topic

#1 grand natty

grand natty

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 01 May 2007 - 07:41 PM

To whom it may interest.

My once healthy IT ego has been squashed. My malice for spyware battle has always been the ability run my spybot and adaware as the local system admin and remove them while they were not running. Well my malice is broken and useless, as this piece of spyware does not allow cmd to start any services. Not to mention it runs constantly in safe mode as IEXPLORE.EXE and runs a bogus svchost and sucks up 90% of my resources.

I managed to install Dr. Web and it found these three suspect files. I recognized one of the names, so I ran a virtue monde fix utility I had ran some time ago and had produced desireable results. It however found nothing, but I feel like that is because Dr. Web had already "cured" the file.

__c00728e4.dat backdoor trojan
htsfz.dll
tuvvsqn.dll

I was instructed to run SUPERANTI spyware, but I cannot install it in safe mode. When I attempt to run the normal startup, nothing launches. I just look at my blank desktop, if I try to launch explorer via task manager the PC abruptly shuts off. Here is my log. THANK YOU, YOU PEOPLE ROCK!!!


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AB3DB2C-2BA7-95B8-1EC3-0B3874368DC3} - C:\WINDOWS\System32\ifovkzf.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\tuvvsqn.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {8F322E74-B8F8-4273-857D-EA1D3B029D87} - C:\Program Files\MSN Gaming Zone\horew.dll
O2 - BHO: 0 - {B5B21478-0DA0-49C4-258A-807B426BE8BE} - C:\Program Files\MSN\laduqaj.dll (file missing)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP chain gap (#2 in chain of 41 missing)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165280441046
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O20 - Winlogon Notify: tuvvsqn - C:\WINDOWS\SYSTEM32\tuvvsqn.dll
O20 - Winlogon Notify: __c00728E4 - C:\WINDOWS\System32\__c00728E4.dat
O21 - SSODL: VAcpcOhEi - {D4090D58-7EA3-A7F2-EB17-A230B39A897E} - C:\WINDOWS\System32\egx.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: General Socket Service - Unknown owner - C:\WINDOWS\SVCHOST.EXE (file missing)
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\JMS Inc\Start Menu\Programs\Startup\MSWin--2027543514.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\New Folder\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 02 May 2007 - 01:12 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
You have quite a heavily infected computer, it is likely that we will need to perform a few scans before you will be completely clean from malware, so please bear with me.

You appear to have used MSConfig to disable some programs from starting up.
This can be bad if they are malware; I will not know what other things are hiding in your computer that you have disabled.
Go to Start | Run, type msconfig | OK
When the window opens click on the Startup tab and make sure there are checkmarks next to all entries.
Then press OK until you are out of the program.
If it asks to reboot, let it.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

Edited by rookie147, 02 May 2007 - 01:14 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 grand natty

grand natty
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 02 May 2007 - 10:22 PM

Charles, thanks for getting back to me, I have enabled everything in the startup as you asked. Here are my logs, please advise as even after a reboot vundofix could not delete tuvvsqn.dll. Thank you.


VundoFix V6.2.13

Checking Java version...

Scan started at 9:29:12 PM 4/26/2007

Listing files found while scanning....


VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 5:10:11 PM 5/1/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 9:04:48 PM 5/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\rqrspol.dll
C:\WINDOWS\system32\tuvvsqn.dll
C:\WINDOWS\system32\vturonk.dll
C:\WINDOWS\system32\vtusrrs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqrspol.dll
C:\WINDOWS\system32\rqrspol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvvsqn.dll
C:\WINDOWS\system32\tuvvsqn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vturonk.dll
C:\WINDOWS\system32\vturonk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtusrrs.dll
C:\WINDOWS\system32\vtusrrs.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvvsqn.dll
C:\WINDOWS\system32\tuvvsqn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

HJT


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\VundoFix.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.enigmasoftware.a013.com/congrat...ter_scanner.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AB3DB2C-2BA7-95B8-1EC3-0B3874368DC3} - C:\WINDOWS\System32\ifovkzf.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\tuvvsqn.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {8F322E74-B8F8-4273-857D-EA1D3B029D87} - C:\Program Files\MSN Gaming Zone\horew.dll
O2 - BHO: 0 - {B5B21478-0DA0-49C4-258A-807B426BE8BE} - C:\Program Files\MSN\laduqaj.dll (file missing)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [{D4090D57-095A-1033-0905-020305090001}] "C:\Program Files\Common Files\{D4090D57-095A-1033-0905-020305090001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{D4090D57-0959-1033-0905-020305090001}] "C:\Program Files\Common Files\{D4090D57-0959-1033-0905-020305090001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [sys0237604265-7] C:\WINDOWS\sys0237604265-7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\__c00C3BAB.dat",setvm
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\System32\qwertybot.exe
O4 - HKLM\..\Run: [phc600] C:\WINDOWS\vphc600.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [lezclad.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\lezclad.dll,lhxgtwc
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\System32\dns.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvcob.dll,startup
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AdwareKill] C:\Program Files\AdwareKill\setup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Administrator\Desktop\vundofix.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: TrayMin600.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP chain gap (#2 in chain of 41 missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165280441046
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O20 - Winlogon Notify: tuvvsqn - C:\WINDOWS\SYSTEM32\tuvvsqn.dll
O20 - Winlogon Notify: __c00728E4 - C:\WINDOWS\System32\__c00728E4.dat
O21 - SSODL: VAcpcOhEi - {D4090D58-7EA3-A7F2-EB17-A230B39A897E} - C:\WINDOWS\System32\egx.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: General Socket Service - Unknown owner - C:\WINDOWS\SVCHOST.EXE (file missing)
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\JMS Inc\Start Menu\Programs\Startup\MSWin--2027543514.exe
O23 - Service: NBService - Nero AG - C:\Program Files\New Folder\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 03 May 2007 - 01:38 AM

Download Combofix to your Desktop. It is really important that combofix.exe is on your Desktop, not somewhere else!
Then go to Start | Run and copy and paste this command in the field:
"C:\Documents and Settings\Chris\Desktop\combofix.exe" /v tuvvsqn
Hit enter. This should start combofix.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot, it should open a log, combofix.txt.

Please include this in your next post, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 grand natty

grand natty
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 03 May 2007 - 12:31 PM

I will do this when I get home, but just in case you can get back to me before then. Should I restart after the combofix before I generate a new hjt log? Thanks again for all your help.

Adam B.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 03 May 2007 - 04:00 PM

Take your time in replying; I'm not going anywhere :thumbsup:
The tool should automatically reboot your computer, but if it does not, reboot manually before posting the HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 grand natty

grand natty
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 03 May 2007 - 05:50 PM

I could not figure out why copying pasting your command was not working for me, then I looked at it and thought it may help if I changed Chris to Administrator. Combofix did not produce a text doc after the reboot, but I found one in the dir c:\combofix so I hope it is the same one you are looking for.

Thanks
Adam B.


"Administrator" - 07-05-03 17:11:19 Service Pack 1 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Administrator\Desktop\"
Command switches used :: "/v tuvvsqn"



Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AB3DB2C-2BA7-95B8-1EC3-0B3874368DC3} - C:\WINDOWS\System32\ifovkzf.dll
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - C:\WINDOWS\system32\tuvvsqn.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {8F322E74-B8F8-4273-857D-EA1D3B029D87} - C:\Program Files\MSN Gaming Zone\horew.dll
O2 - BHO: 0 - {B5B21478-0DA0-49C4-258A-807B426BE8BE} - C:\Program Files\MSN\laduqaj.dll (file missing)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [sys0237604265-7] C:\WINDOWS\sys0237604265-7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [phc600] C:\WINDOWS\vphc600.exe
O4 - HKLM\..\Run: [lezclad.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\lezclad.dll,lhxgtwc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\System32\dns.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AdwareKill] C:\Program Files\AdwareKill\setup.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\\Combobatch.bat
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Administrator\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\\Combobatch.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: TrayMin600.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165280441046
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O20 - Winlogon Notify: tuvvsqn - C:\WINDOWS\SYSTEM32\tuvvsqn.dll
O20 - Winlogon Notify: __c00728E4 - C:\WINDOWS\System32\__c00728E4.dat
O21 - SSODL: VAcpcOhEi - {D4090D58-7EA3-A7F2-EB17-A230B39A897E} - C:\WINDOWS\System32\egx.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\JMS Inc\Start Menu\Programs\Startup\MSWin--2027543514.exe
O23 - Service: NBService - Nero AG - C:\Program Files\New Folder\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 04 May 2007 - 01:35 AM

I could not figure out why copying pasting your command was not working for me, then I looked at it and thought it may help if I changed Chris to Administrator. Combofix did not produce a text doc after the reboot, but I found one in the dir c:\combofix so I hope it is the same one you are looking for.

I think the end of the ComboFix log may have got cut off a bit, there is quite a lot more than just the bit that you posted.
Please open up the file again and make sure you copy and paste the whole thing in your next reply. I apoligise for getting the command wrong when using the tool, my bad :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 grand natty

grand natty
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 04 May 2007 - 08:07 PM

I was able to remove some files using superantispyware and then combofix started to produce an entire log. Things do not look well to me, but on the bright side I am posting this using my PC and not my tablet... Thanks brother.

Adam B.

"" - 07-05-04 19:33:54 Service Pack 1 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\All Users\Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))


2007-05-04 17:10 14,336 --a------ C:\WINDOWS\system32\winupd_KB04080293.exe
2007-05-03 22:25 262,144 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-05-03 22:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-03 22:18 <DIR> d-------- C:\DOCUME~1\JMSINC~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 22:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 20:25 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2007-05-03 20:25 <DIR> d-------- C:\Program Files\XP Tools
2007-05-03 18:17 <DIR> d-------- C:\!KillBox
2007-05-01 18:43 31,232 --a------ C:\WINDOWS\system32\drivers\sisnic.sys
2007-05-01 17:08 262,144 --ah----- C:\DOCUME~1\JMSINC~1\ntuser.dat
2007-05-01 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 20:10 296 --a------ C:\xcrashdump.dat
2007-04-30 18:19 <DIR> d-ahs---- C:\!Submit
2007-04-23 23:49 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-04-23 23:49 <DIR> d-------- C:\Program Files\CA
2007-04-23 23:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-04-23 20:15 91,476 --a------ C:\WINDOWS\system32\cent.exe
2007-04-23 20:14 86,528 --a------ C:\WINDOWS\system32\lezclad.dll
2007-04-23 20:14 64,000 --a------ C:\WINDOWS\system32\ifovkzf.dll
2007-04-23 20:14 119,808 --a------ C:\WINDOWS\system32\__c00C3BAB.dat
2007-04-23 20:10 30,720 --a------ C:\WINDOWS\system32\rpcc1.dll
2007-04-23 20:01 81,412 --a------ C:\WINDOWS\system32\idleserv.exe
2007-04-23 20:01 41,880 --a------ C:\WINDOWS\retadpu.exe.bin
2007-04-23 20:01 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-23 20:00 6,748 --a------ C:\WINDOWS\system32\dns.exe
2007-04-23 20:00 36,352 --a------ C:\WINDOWS\system32\__c006E831.dat
2007-04-23 19:57 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-23 19:56 12,800 --a------ C:\WINDOWS\system32\user_32.dll
2007-04-23 19:56 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-23 19:55 36,352 --------- C:\WINDOWS\system32\__c00728E4.dat
2007-04-23 19:53 22,016 --a------ C:\WINDOWS\system32\winupd_KB68731342.exe
2007-04-05 19:50 <DIR> d-------- C:\DOCUME~1\JMSINC~1\APPLIC~1\Morpheus


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-04 17:55 -------- d-------- C:\Program Files\spybot
2007-05-03 22:15 -------- d-------- C:\Program Files\msn gaming zone
2007-05-03 18:09 36352 --------- C:\WINDOWS\system32\__c00728e4.dat
2007-04-23 23:16 75264 --a------ C:\WINDOWS\system32\ws2_32.dll
2007-04-23 20:14 119808 --a------ C:\WINDOWS\system32\__c00c3bab.dat
2007-04-10 15:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-03-16 10:39 -------- d--h----- C:\Program Files\installshield installation information
2007-03-16 10:39 -------- d-------- C:\Program Files\philips
2007-03-06 13:37 216064 --a------ C:\WINDOWS\iun3405.exe
2007-03-06 13:37 -------- d-------- C:\Program Files\snes9x


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"phc600"="C:\\WINDOWS\\vphc600.exe"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"dns.exe"="C:\\WINDOWS\\System32\\dns.exe"
"csr"="csrrs.exe"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"AdwareKill"="C:\\Program Files\\AdwareKill\\setup.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
"-733643738.exe"="C:\\WINDOWS\\System32\\-733643738.exe"
"combofix"="C:\\WINDOWS\\system32\\cmd.exe /c C:\\ComboFix\\\\Combobatch.bat"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"="C:\\WINDOWS\\system32\\cmd.exe /c C:\\ComboFix\\\\Combobatch.bat"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"VAcpcOhEi"="{D4090D58-7EA3-A7F2-EB17-A230B39A897E}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00728E4

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Schedule

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"winlog"="winlog.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F162C4C72.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F162C4C72"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\JMSINC~1\\LOCALS~1\\Temp\\_A00F162C4C72.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F1630BE82.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F1630BE82"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\JMSINC~1\\LOCALS~1\\Temp\\_A00F1630BE82.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ahtdt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="w?auboot"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\?icrosoft\\w?auboot.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKCU"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IExplorer"
"hkey"="HKCU"
"command"="IExplorer.dll .dbt"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKCU"
"command"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lzp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="l?gonui"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\s?stem\\l?gonui.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oran]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="chkntfs"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\JMSINC~1\\APPLIC~1\\SCURIT~1\\chkntfs.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVCHOST]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SVCHOST"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\SVCHOST.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tcdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="n?pdb"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\s?stem32\\n?pdb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tfcyqtui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="r?ndll"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\??mantec\\r?ndll.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpupdate"
"hkey"="HKCU"
"command"="C:\\Windows\\xpupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_sys]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmwnd"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\ServicePackFiles\\mmwnd.exe\" updated"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-04 19:35:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-04 19:36:00
C:\ComboFix-quarantined-files.txt ... 07-05-04 19:36



Logfile of HijackThis v1.99.1
Scan saved at 7:41:27 PM, on 5/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.superantispyware.com/applicatio...F-400B596E20D1}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 84.252.148.113 www.affinityfcu.org
O1 - Hosts: 84.252.148.113 affinityfcu.org
O1 - Hosts: 84.252.148.113 www.azfcu.org
O1 - Hosts: 84.252.148.113 azfcu.org
O1 - Hosts: 84.252.148.113 www.zionbank.com
O1 - Hosts: 84.252.148.113 zionbank.com
O1 - Hosts: 84.252.148.113 www.royalbank.com
O1 - Hosts: 84.252.148.113 royalbank.com
O1 - Hosts: 84.252.148.113 www.desjardins.com
O1 - Hosts: 84.252.148.113 desjardins.com
O1 - Hosts: 84.252.148.113 www.suncoastfcu.org
O1 - Hosts: 84.252.148.113 suncoastfcu.org
O1 - Hosts: 84.252.148.113 capitalone.com
O1 - Hosts: 84.252.148.113 www.capitalone.com
O1 - Hosts: 84.252.148.113 www.bankofamerica.com
O1 - Hosts: 84.252.148.113 bankofamerica.com
O1 - Hosts: 84.252.148.113 www.chase.com
O1 - Hosts: 84.252.148.113 chase.com
O1 - Hosts: 84.252.148.113 www.southtrust.com
O1 - Hosts: 84.252.148.113 southtrust.com
O1 - Hosts: 84.252.148.113 www.wachovia.com
O1 - Hosts: 84.252.148.113 wachovia.com
O1 - Hosts: 84.252.148.113 www.wellsfargo.com
O1 - Hosts: 84.252.148.113 wellsfargo.com
O1 - Hosts: 84.252.148.113 www.citi.com
O1 - Hosts: 84.252.148.113 citi.com
O1 - Hosts: 84.252.148.113 www.citibank.com
O1 - Hosts: 84.252.148.113 citibank.com
O1 - Hosts: 84.252.148.113 www.etrade.com
O1 - Hosts: 84.252.148.113 etrade.com
O1 - Hosts: 84.252.148.113 www.neteller.com
O1 - Hosts: 84.252.148.113 neteller.com
O1 - Hosts: 84.252.148.113 tcfbank.com
O1 - Hosts: 84.252.148.113 www.tcfbank.com
O1 - Hosts: 84.252.148.113 comerica.com
O1 - Hosts: 84.252.148.113 www.comerica.com
O1 - Hosts: 84.252.148.113 www.3riversfcu.org
O1 - Hosts: 84.252.148.113 3riversfcu.org
O1 - Hosts: 84.252.148.113 www.53.com
O1 - Hosts: 84.252.148.113 53.com
O1 - Hosts: 84.252.148.113 www.bbt.com
O1 - Hosts: 84.252.148.113 bbt.com
O1 - Hosts: 84.252.148.113 www.cnbwax.com
O1 - Hosts: 84.252.148.113 cnbwax.com
O1 - Hosts: 84.252.148.113 www.cwbk.com
O1 - Hosts: 84.252.148.113 cwbk.com
O1 - Hosts: 84.252.148.113 www.edsefcu.org
O1 - Hosts: 84.252.148.113 edsefcu.org
O1 - Hosts: 84.252.148.113 www.firstusa.com
O1 - Hosts: 84.252.148.113 firstusa.com
O1 - Hosts: 84.252.148.113 www.frontierbank.com
O1 - Hosts: 84.252.148.113 frontierbank.com
O1 - Hosts: 84.252.148.113 www.gncu.org
O1 - Hosts: 84.252.148.113 gncu.org
O1 - Hosts: 84.252.148.113 www.householdbank.com
O1 - Hosts: 84.252.148.113 householdbank.com
O1 - Hosts: 84.252.148.113 www.icicibank.com
O1 - Hosts: 84.252.148.113 icicibank.com
O1 - Hosts: 84.252.148.113 www.mbna.com
O1 - Hosts: 84.252.148.113 mbna.com
O1 - Hosts: 84.252.148.113 www.mibank.com
O1 - Hosts: 84.252.148.113 mibank.com
O1 - Hosts: 84.252.148.113 www.midamericabank.com
O1 - Hosts: 84.252.148.113 midamericabank.com
O1 - Hosts: 84.252.148.113 www.myindymacbank.com
O1 - Hosts: 84.252.148.113 myindymacbank.com
O1 - Hosts: 84.252.148.113 www.nafcunet.org
O1 - Hosts: 84.252.148.113 nafcunet.org
O1 - Hosts: 84.252.148.113 www.nationalcity.com
O1 - Hosts: 84.252.148.113 nationalcity.com
O1 - Hosts: 84.252.148.113 www.cnb.com
O1 - Hosts: 84.252.148.113 cnb.com
O1 - Hosts: 84.252.148.113 www.nationwide.com
O1 - Hosts: 84.252.148.113 nationwide.com
O1 - Hosts: 84.252.148.113 www.netbank.com
O1 - Hosts: 84.252.148.113 netbank.com
O1 - Hosts: 84.252.148.113 www.netbank.com
O1 - Hosts: 84.252.148.113 netbank.com.au
O1 - Hosts: 84.252.148.113 www.netbank.com.au
O1 - Hosts: 84.252.148.113 www.commbank.com.au
O1 - Hosts: 84.252.148.113 www.postfinance.com
O1 - Hosts: 84.252.148.113 postfinance.com
O1 - Hosts: 84.252.148.113 www.providian.com
O1 - Hosts: 84.252.148.113 providian.com
O1 - Hosts: 84.252.148.113 www.sbbt.com
O1 - Hosts: 84.252.148.113 sbbt.com
O1 - Hosts: 84.252.148.113 www.sears.com
O1 - Hosts: 84.252.148.113 sears.com
O1 - Hosts: 84.252.148.113 telcomcu.com
O1 - Hosts: 84.252.148.113 www.telcomcu.com
O1 - Hosts: 84.252.148.113 www.tcuonline.org
O1 - Hosts: 84.252.148.113 tcuonline.org
O1 - Hosts: 84.252.148.113 www.uofcfcu.com
O1 - Hosts: 84.252.148.113 uofcfcu.com
O1 - Hosts: 84.252.148.113 www.usaa.com
O1 - Hosts: 84.252.148.113 usaa.com
O1 - Hosts: 84.252.148.113 www.warrenfcu.com
O1 - Hosts: 84.252.148.113 warrenfcu.com
O1 - Hosts: 84.252.148.113 visionsfcu.org
O1 - Hosts: 84.252.148.113 www.visionsfcu.org
O1 - Hosts: 84.252.148.113 www.tcfexpress.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [phc600] C:\WINDOWS\vphc600.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\System32\dns.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AdwareKill] C:\Program Files\AdwareKill\setup.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [-733643738.exe] C:\WINDOWS\System32\-733643738.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\\Combobatch.bat
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\\Combobatch.bat
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: MSWin--2027543514.exe
O4 - Startup: MSWin-365977749.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: TrayMin600.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165280441046
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\System32\rpcc1.dll
O20 - Winlogon Notify: __c00728E4 - C:\WINDOWS\System32\__c00728E4.dat
O21 - SSODL: VAcpcOhEi - {D4090D58-7EA3-A7F2-EB17-A230B39A897E} - C:\WINDOWS\System32\egx.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\JMS Inc\Start Menu\Programs\Startup\MSWin--2027543514.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\New Folder\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 05 May 2007 - 02:20 PM

Things do not look well to me

That's correct. The ComboFix log shows a huge number of infected files that will probably take a lot of work to remove, so I think I need to point out just how badly infected you are. Perhaps a complete format of your computer would be a batter option for you; there is no guarantee that we will get rid of all the malware you have on your PC. Of course, I'm happy to try and clean it with you, I'm just giving you the choice to reformat if you would prefer to do this. The following link might help you with your decision:

When Should I Format, How Should I Reinstall?

Let me know if you'd like to continue cleaning this mess up in your next post, or if you want to format.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 grand natty

grand natty
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 05 May 2007 - 04:18 PM

If you are up for it then I would like to try and clean it up, if nothing else I will at least learn something. As you are available any help you can offer would be greatly appreciated, I say this because I have a tablet (not used by roomates) and another HD with a linux OS that people can use to get online. I would like to learn more about removing these files from my system so in the future I may be able to help another as you are helping me. So when you have a chance, I would like to take a stab at this. Thanks

Adam B.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 06 May 2007 - 06:34 AM

Hello again, let's get started :thumbsup:
Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

AdwareKill

I see you have Viewpoint installed:
Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546
I recommend that you remove the Viewpoint products. If you do decide to get rid of it, please remove all references to Viewpoint from Add/Remove Programs.

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

Please download HostsXpert from here
Unzip HostsXpert.zip
Open HostsXpert.exe
Then click on "Restore Microsoft's Host File", followed by OK at the prompt.
Close the program when complete.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Don't run it yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Delete this folder if present:

C:\Program Files\AdwareKill

And this one if you removed Viewpoint:

C:\Program Files\Viewpoint

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Scan once more with HijackThis in normal mode. Please post this log along with the SDFix report and the Combofix log in your next reply.
Thanks,
Charles

Edited by rookie147, 06 May 2007 - 06:35 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 21 May 2007 - 06:20 AM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users