Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problem


  • Please log in to reply
4 replies to this topic

#1 E3Revolution

E3Revolution

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 12 May 2007 - 04:34 PM

Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 5:30:31 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CST STUDIO SUITE 2006B\License Manager\lmgrd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\CST STUDIO SUITE 2006B\License Manager\lmgrd.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\?ssembly\w?nword.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NETGEAR\WAG511 Configuration Utility\wlancfg3.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Haipeng\Desktop\hijackthis-1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jlab.org/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\system32\ECURIT~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Obyhq] C:\WINDOWS\?ssembly\w?nword.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NETGEAR WAG511 Smart Wizard.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jlab.org
O17 - HKLM\Software\..\Telephony: DomainName = jlab.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A6ADF89-0485-4603-8C15-A121465E7641}: Domain = jlab.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A6ADF89-0485-4603-8C15-A121465E7641}: NameServer = 129.57.32.100,129.57.32.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jlab.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jlab.org,acc.jlab.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jlab.org,acc.jlab.org
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\SYSTEM32\wincpg32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi108325.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CST License Manager - Macrovision Corporation - C:\Program Files\CST STUDIO SUITE 2006B\License Manager\lmgrd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: nimcdldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nimcrpcsu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 E3Revolution

E3Revolution
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 12 May 2007 - 04:38 PM

Oh yeah, I just deleted some viruses but I need to make sure they won't come back... They seem to reappear everywhere

#3 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:46 AM

Posted 12 May 2007 - 07:25 PM

Welcome to BC :thumbsup:

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#4 E3Revolution

E3Revolution
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 13 May 2007 - 12:51 PM

Here is the text file

"haipeng" - 2007-05-13 10:57:47 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Haipeng\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\clxjmmxq.dll
C:\WINDOWS\system32\hlcuxoao.dll
C:\WINDOWS\system32\wincpg32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\wnsapisu.exe
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\SEMBLY~1
C:\qoobox\purity\C\WINDOWS\SSEMBL~1
C:\qoobox\purity\C\WINDOWS\system32\CROSOF~1
C:\qoobox\purity\C\WINDOWS\system32\CROSOF~1\d?xplore.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-30 22:46 <DIR> d-------- C:\DOCUME~1\Haipeng\APPLIC~1\BitTorrent
2007-05-30 22:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-05-30 22:35 <DIR> d-------- C:\Program Files\BitComet
2007-05-30 22:35 <DIR> d-------- C:\Downloads
2007-05-30 22:33 6,342,040 --a------ C:\Temp\BitCometBeta_20070430_setup.exe
2007-05-30 22:30 5,832,685 --a------ C:\Temp\BitTorrent-5.0.7.exe
2007-05-13 11:00 <DIR> d---s---- C:\WINDOWS\system32\??crosoft
2007-05-13 10:59 40,183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-13 10:59 29,206 --a------ C:\WINDOWS\system32\jkkiifc.dll
2007-05-13 10:59 <DIR> d-------- C:\Program Files\??sembly
2007-05-12 21:56 1,466,649 ---hs---- C:\WINDOWS\system32\tssru.bak1
2007-05-12 21:55 285,268 ---hs---- C:\WINDOWS\system32\ursst.dll
2007-05-12 21:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-12 21:49 29,206 --a------ C:\WINDOWS\system32\mljjklk.dll
2007-05-10 14:53 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-05-09 18:20 <DIR> d-------- C:\DOCUME~1\Haipeng\APPLIC~1\WaveMetrics
2007-05-09 18:17 <DIR> d-------- C:\Program Files\WaveMetrics
2007-05-03 11:56 <DIR> d-------- C:\DOCUME~1\marhause\APPLIC~1\Sonic
2007-05-03 11:04 1,048,576 --ah----- C:\DOCUME~1\marhause\NTUSER.DAT
2007-04-27 15:40 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-04-27 15:40 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.sys
2007-04-27 15:40 17,056 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-04-27 15:39 <DIR> d-------- C:\Program Files\NETGEAR


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-31 02:35:55 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-05-13 15:13:49 -------- d-----w C:\Program Files\??sembly
2007-05-13 11:32:49 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-05-13 11:32:12 -------- d-----w C:\Program Files\CST STUDIO SUITE 2006B
2007-05-03 15:56:11 39,492 ----a-w C:\WINDOWS\system32\nvModes.dat
2007-04-27 19:40:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 22:52:19 -------- d-----w C:\Program Files\MSBuild
2007-03-05 22:45:52 -------- d-----w C:\Program Files\Reference Assemblies
2007-03-01 23:08:58 49,152 ----a-w C:\npbittorrent.dll
2007-02-08 20:51:25 286,720 ------w C:\WINDOWS\Setup1.exe
2007-02-08 20:51:23 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}"="C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{850A1CAC-33D7-4DDD-8571-31C9491B4497}"="C:\WINDOWS\system32\mljjklk.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar3.dll"
"{AABAC3B8-DA3E-4F33-B471-422165FBB585}"="C:\WINDOWS\system32\clxjmmxq.dll" [x]
"{CDC08451-AA1D-495A-96BE-BBA2D4347DB6}"="C:\WINDOWS\system32\ursst.dll"
"{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}"="C:\WINDOWS\system32\hlcuxoao.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"niDevMon"="C:\\Program Files\\National Instruments\\NI-DAQ\\HWConfig\\nidevmon.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SManager"="smanager.7.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Ncao"="\"C:\\PROGRA~1\\SEMBLY~1\\chkntfs.exe\" -vt yazb"
"Zdc"="C:\\WINDOWS\\system32\\??crosoft\\d?xplore.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"="cmd.exe /C \"cscript %systemroot%\\Installer\\TSClientMsiTrans\\tscuinst.vbs\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel.

Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning."
"disablecad"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{850A1CAC-33D7-4DDD-8571-31C9491B4497}"="C:\WINDOWS\system32\mljjklk.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursst
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincpg32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d17a7f40-37c0-11db-b581-00065bb882bf}]
Shell\AutoRun\command F:\AutoRun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Critical Battery Alarm Program.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 11:16:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 11:17:44
C:\ComboFix-quarantined-files.txt ... 2007-05-13 11:17
C:\ComboFix2.txt ... 2007-05-12 21:52

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:46 AM

Posted 13 May 2007 - 09:02 PM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\jkkiifc.dll
C:\WINDOWS\system32\tssru.bak1
C:\WINDOWS\system32\ursst.dll
C:\WINDOWS\system32\mljjklk.dll
C:\WINDOWS\SYSTEM32\wincpg32.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjklk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursst
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincpg32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{850A1CAC-33D7-4DDD-8571-31C9491B4497}
HKEY_CLASSES_ROOT\CLSID\{850A1CAC-33D7-4DDD-8571-31C9491B4497}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDC08451-AA1D-495A-96BE-BBA2D4347DB6}
HKEY_CLASSES_ROOT\CLSID\{CDC08451-AA1D-495A-96BE-BBA2D4347DB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850A1CAC-33D7-4DDD-8571-31C9491B4497}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AABAC3B8-DA3E-4F33-B471-422165FBB585}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDC08451-AA1D-495A-96BE-BBA2D4347DB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {850A1CAC-33D7-4DDD-8571-31C9491B4497}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run | Ncao
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run | Zdc


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users