Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Rootkits And Other Possible Infections


  • Please log in to reply
10 replies to this topic

#1 digitalman959

digitalman959

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 03 June 2007 - 07:19 PM

I had to make a Windows repair due to some infections. While trying to install IE7 back again, I got a blue screen which freezes Windows and makes reference to a file called system32:xpdt.sys. This make to restart the PC and so far I'm unable to install IE7. I found this to be a rootkit, so I ran AVG Anti-RootKit and it detected the system32:xpdt.sys and another one called windev-1462-c9c.sys. The question would be if its safe to remove them with the anti-rootkit program or should I do something else to make them go for good? I'm providing a HJT log after running antispyware and a antivirus scan. If there is anything else that shouldn't be there please let me know. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 8:03:00 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110054201592
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D8A0B-EB16-4D8A-80E9-DA67A1035CFD}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{11660403-9A7C-4788-85FA-2C5E6F6CBB35}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DB2415-E32F-47E3-8028-6874DF832E79}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{5743A089-4D90-4653-9CE9-3B2DE0F18C40}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A27B4D-FD6B-408E-9692-DB10E36811BB}: NameServer = 143.166.224.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{0A7D8A0B-EB16-4D8A-80E9-DA67A1035CFD}: NameServer = 143.166.224.3
O17 - HKLM\System\CS5\Services\Tcpip\..\{0A7D8A0B-EB16-4D8A-80E9-DA67A1035CFD}: NameServer = 143.166.224.3
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 04 June 2007 - 02:57 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum digitalman959 :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

*****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 digitalman959

digitalman959
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 04 June 2007 - 05:56 PM

Hi Richie, my name is Jose and thanks for your quick reply. I ran both the SDFix.exe and the ComboFix.exe and I could install the IE7 afterwards. The only strange reaction I've found is that when I turn on the computer and open the web browser it doesn't recognize my connection and the browser starts to work offline(it also happened before installing IE7). After running the repair function I'm able to restore the connection but it is something that never happened before. Maybe is not related to what we're doing but I'm just mentioning just in case. Anyway here are the logs you requested, please let me know the good, the bad and the ugly.

SDFix: Version 1.86

Run by Admin - Mon 06/04/2007 - 17:46:45.76

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
msupdate
ntldr.sys
windev-1462-c9c

ImagePath:
c:\windows\system32\msvcrtd.exe
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\windev-1462-c9c.sys

msupdate - Deleted
ntldr.sys - Deleted
windev-1462-c9c - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service xpdt - Deleted after Reboot

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\windev-1462-c9c.sys - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\S5SBM5Y3\CA4Z6T4V.HTM - Deleted
C:\Documents and Settings\Admin\www.google.com\favicon.ico - Deleted
C:\Documents and Settings\Admin\www.google.com\index.html - Deleted
C:\Documents and Settings\Admin\www.google.com\thank.html - Deleted
C:\Documents and Settings\Admin\www.google.com\Google_files\hp0.gif - Deleted
C:\Documents and Settings\Admin\www.google.com\Google_files\hp1.gif - Deleted
C:\Documents and Settings\Admin\www.google.com\Google_files\hp2.gif - Deleted
C:\Documents and Settings\Admin\www.google.com\Google_files\hp3.gif - Deleted
C:\WINDOWS\system32\drivers\etc\hosts.tim - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted


Folder "C:\Documents and Settings\Admin\www.google.com" - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:xpdt.sys 78606
Total size: 78606 bytes.

system32: deleted 78606 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Mary\\Local Settings\\Temp\\1550.exe"="C:\\Documents and Settings\\Mary\\Local Settings\\Temp\\1550.exe:*:Disabled:1550"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Jose\www.google.com\favicon.ico
C:\Documents and Settings\Jose\www.google.com\index.html
C:\Documents and Settings\Jose\www.google.com\thank.html
C:\Documents and Settings\Jose\www.google.com\Google_files\hp0.gif
C:\Documents and Settings\Jose\www.google.com\Google_files\hp1.gif
C:\Documents and Settings\Jose\www.google.com\Google_files\hp2.gif
C:\Documents and Settings\Jose\www.google.com\Google_files\hp3.gif
C:\Program Files\BitComet\Downloads\FelicityFey.com\Felicity Fey - Blue on Couch\Thumbs.db
C:\Program Files\BitComet\Downloads\FelicityFey.com\Felicity Fey - On Chair\Thumbs.db
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:

User accounts for \\N-7JWSPST6YHH7O

Admin Administrator ASPNET
Guest HelpAssistant Jose
Mary SUPPORT_388945a0


Finished

_______________________________________________________

"Admin" - 2007-06-04 18:01:08 Service Pack 2 NTFS
ComboFix 07-06-05 - Running from: ""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\i
C:\install.log


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))


2007-06-03 09:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-03 09:13 <DIR> d-------- C:\ff50e744667cf96f40de4fbce1683fe6
2007-06-03 09:07 <DIR> d-------- C:\c11f09d7a715aa34e55c
2007-06-02 22:53 <DIR> d-------- C:\3e331689ac819dc4c013d380a6a6f0
2007-06-02 22:48 <DIR> d-------- C:\a620a4c77d65e2affac882f4759a72
2007-06-02 22:36 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-02 22:18 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2007-06-02 22:18 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2007-06-02 22:16 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-02 20:47 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-06-02 20:43 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-06-02 20:43 95,744 --a------ C:\WINDOWS\system32\mqsec.dll
2007-06-02 20:43 9,216 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-06-02 20:43 89,088 --a------ C:\WINDOWS\system32\mqlogmgr.dll
2007-06-02 20:43 78,336 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-06-02 20:43 755,200 --a------ C:\WINDOWS\system32\ir50_32.dll
2007-06-02 20:43 73,728 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-06-02 20:43 73,216 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-06-02 20:43 72,960 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-06-02 20:43 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-06-02 20:43 67,584 --a------ C:\WINDOWS\system32\openfiles.exe
2007-06-02 20:43 660,992 --a------ C:\WINDOWS\system32\mqqm.dll
2007-06-02 20:43 66,560 --a------ C:\WINDOWS\system32\cdm.dll
2007-06-02 20:43 64,000 --a------ C:\WINDOWS\system32\nwwks.dll
2007-06-02 20:43 61,440 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-06-02 20:43 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-02 20:43 596,992 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-06-02 20:43 59,392 --a------ C:\WINDOWS\system32\logman.exe
2007-06-02 20:43 566,784 --a------ C:\WINDOWS\system32\gpedit.dll
2007-06-02 20:43 56,320 --a------ C:\WINDOWS\system32\cipher.exe
2007-06-02 20:43 517,632 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-06-02 20:43 50,176 --a------ C:\WINDOWS\system32\eventcreate.exe
2007-06-02 20:43 48,640 --a------ C:\WINDOWS\system32\mqupgrd.dll
2007-06-02 20:43 471,552 --a------ C:\WINDOWS\system32\mqutil.dll
2007-06-02 20:43 47,104 --a------ C:\WINDOWS\system32\mqdscli.dll
2007-06-02 20:43 44,928 --a------ C:\WINDOWS\system32\drivers\agpcpq.sys
2007-06-02 20:43 43,008 --a------ C:\WINDOWS\system32\drivers\amdagp.sys
2007-06-02 20:43 42,752 --a------ C:\WINDOWS\system32\drivers\alim1541.sys
2007-06-02 20:43 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2007-06-02 20:43 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2007-06-02 20:43 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2007-06-02 20:43 4,608 --a------ C:\WINDOWS\system32\mqsvc.exe
2007-06-02 20:43 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-06-02 20:43 338,432 --a------ C:\WINDOWS\system32\ir41_qcx.dll
2007-06-02 20:43 30,208 --a------ C:\WINDOWS\system32\asr_fmt.exe
2007-06-02 20:43 295,936 --a------ C:\WINDOWS\system32\appmgr.dll
2007-06-02 20:43 26,624 --a------ C:\WINDOWS\system32\efsadu.dll
2007-06-02 20:43 259,584 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-06-02 20:43 24,064 --a------ C:\WINDOWS\system32\pidgen.dll
2007-06-02 20:43 225,280 --a------ C:\WINDOWS\system32\mqoa.dll
2007-06-02 20:43 200,192 --a------ C:\WINDOWS\system32\ir50_qc.dll
2007-06-02 20:43 198,656 --a------ C:\WINDOWS\system32\gptext.dll
2007-06-02 20:43 192,000 --a------ C:\WINDOWS\system32\iuengine.dll
2007-06-02 20:43 19,968 --a------ C:\WINDOWS\system32\mqbkup.exe
2007-06-02 20:43 186,880 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-06-02 20:43 183,808 --a------ C:\WINDOWS\system32\ir50_qcx.dll
2007-06-02 20:43 18,432 --a------ C:\WINDOWS\system32\secedit.exe
2007-06-02 20:43 177,152 --a------ C:\WINDOWS\system32\mqrt.dll
2007-06-02 20:43 167,936 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-06-02 20:43 163,584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-06-02 20:43 16,896 --a------ C:\WINDOWS\system32\mqise.dll
2007-06-02 20:43 138,240 --a------ C:\WINDOWS\system32\mqad.dll
2007-06-02 20:43 123,392 --a------ C:\WINDOWS\system32\mqrtdep.dll
2007-06-02 20:43 121,856 --a------ C:\WINDOWS\system32\schtasks.exe
2007-06-02 20:43 120,320 --a------ C:\WINDOWS\system32\ir41_qc.dll
2007-06-02 20:43 119,808 --a------ C:\WINDOWS\system32\gpresult.exe
2007-06-02 20:43 117,248 --a------ C:\WINDOWS\system32\mqtgsvc.exe
2007-06-02 20:43 111,104 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-06-02 20:43 107,520 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-06-02 20:43 1,200,128 --a------ C:\WINDOWS\system32\ntbackup.exe
2007-06-02 20:43 1,134,592 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-06-02 20:42 994,304 --a------ C:\WINDOWS\system32\msgina.dll
2007-06-02 20:42 98,304 --a------ C:\WINDOWS\system32\cscript.exe
2007-06-02 20:42 98,304 --a------ C:\WINDOWS\system32\ahui.exe
2007-06-02 20:42 97,280 --a------ C:\WINDOWS\system32\loadperf.dll
2007-06-02 20:42 96,768 --a------ C:\WINDOWS\system32\psbase.dll
2007-06-02 20:42 94,208 --a------ C:\WINDOWS\system32\odbcint.dll
2007-06-02 20:42 92,672 --a------ C:\WINDOWS\system32\dskquota.dll
2007-06-02 20:42 92,224 --a------ C:\WINDOWS\system32\krnl386.exe
2007-06-02 20:42 92,168 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-06-02 20:42 90,624 --a------ C:\WINDOWS\system32\mydocs.dll
2007-06-02 20:42 9,728 --a------ C:\WINDOWS\system32\gpkrsrc.dll
2007-06-02 20:42 9,344 --a------ C:\WINDOWS\system32\framebuf.dll
2007-06-02 20:42 9,216 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-06-02 20:42 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2007-06-02 20:42 875,008 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-06-02 20:42 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2007-06-02 20:42 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-02 20:42 87,040 --a------ C:\WINDOWS\system32\mprapi.dll
2007-06-02 20:42 87,040 --a------ C:\WINDOWS\system32\drmstor.dll
2007-06-02 20:42 86,016 --a------ C:\WINDOWS\system32\netsh.exe
2007-06-02 20:42 86,016 --a------ C:\WINDOWS\system32\msapsspc.dll
2007-06-02 20:42 85,504 --a------ C:\WINDOWS\system32\makecab.exe
2007-06-02 20:42 85,504 --a------ C:\WINDOWS\system32\diantz.exe
2007-06-02 20:42 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-06-02 20:42 84,992 --a------ C:\WINDOWS\system32\avifil32.dll
2007-06-02 20:42 84,480 --a------ C:\WINDOWS\system32\mciavi32.dll
2007-06-02 20:42 84,480 --a------ C:\WINDOWS\system32\cabview.dll
2007-06-02 20:42 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2007-06-02 20:42 83,456 --a------ C:\WINDOWS\system32\olepro32.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 20:10:15 -------- d-----w C:\Program Files\eMule
2007-06-03 02:15:54 -------- d-----w C:\Program Files\Movie Maker
2007-06-03 02:15:37 -------- d-----w C:\Program Files\Windows NT
2007-06-03 00:24:13 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-02 20:46:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 21:01:51 -------- d-----w C:\DOCUME~1\Admin\APPLIC~1\CopyToDvd
2007-05-27 20:17:47 -------- d-----w C:\DOCUME~1\Admin\APPLIC~1\1ClickDVDCopy
2007-05-26 01:31:57 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-25 00:53:54 -------- d-----w C:\Program Files\Online Services
2007-05-17 21:45:24 2,504 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-17 15:25:51 -------- d-----w C:\Program Files\Conquer 2.0
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 15:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-01 19:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-06-03 12:42]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\ServicePackFiles\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\WINDOWS\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System update]
C:\DOCUME~1\Admin\LOCALS~1\Temp\1550.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]
C:\WINDOWS\system32\ntos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xem]
C:\WINDOWS\ServicePackFiles\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-01 21:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-06-01 21:15:00 C:\WINDOWS\tasks\1-Klick-Wartung.job
2007-06-03 14:09:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 18:04:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 18:06:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 18:06

--- E O F ---

__________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 6:47:28 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110054201592
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D8A0B-EB16-4D8A-80E9-DA67A1035CFD}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{11660403-9A7C-4788-85FA-2C5E6F6CBB35}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DB2415-E32F-47E3-8028-6874DF832E79}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{5743A089-4D90-4653-9CE9-3B2DE0F18C40}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A27B4D-FD6B-408E-9692-DB10E36811BB}: NameServer = 143.166.224.3
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 05 June 2007 - 06:36 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - (no file)

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

********************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Post the BitDefender Online Scanner log,the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#5 digitalman959

digitalman959
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 05 June 2007 - 10:45 PM

I ran both programs but I mistakenly closed the AVG before saving the report. I ran another scan but since it didn't find anything it didn't produce a report. The first one only found about 16 tracking cookies. I'm including the BitDefender report and a new HJT Log. The computer has improved its performance, so far I haven't noticed anyhting suspicious. The internet connection problem I told you yesterday seems to be gone too. Please let me know when you can your thoughts on what infections I had and how serious they were. Of course, if you think that we still have work to do, just let me know.

BitDefender Online Scanner



Scan report generated at: Tue, Jun 05, 2007 - 23:27:10





Scan path: C:\Documents and Settings\Admin\My Documents;C:\Documents and Settings\Jose\My Documents;C:\Documents and Settings\Mary\My Documents;C:\Documents and Settings\All Users\Documents;C:\;C:\Documents and Settings\Admin\My Documents;







Statistics

Time
01:27:05

Files
308152

Folders
4800

Boot Sectors
4

Archives
7532

Packed Files
10077




Results

Identified Viruses
5

Infected Files
11

Suspect Files
2

Warnings
0

Disinfected
0

Deleted Files
13




Engines Info

Virus Definitions
512020

Engine build
AVCORE v1.0 (build 2409) (i386) (May 9 2007 18:01:21)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>BnnnnBaa.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>BnnnnBaa.class
Disinfection failed

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>BnnnnBaa.class
Deleted

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip
Updated

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>Dnnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>Dnnny.class
Disinfection failed

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip=>Dnnny.class
Deleted

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-13533f30-21aa39ea.zip
Updated

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>BnnnnBaa.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>BnnnnBaa.class
Disinfection failed

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>BnnnnBaa.class
Deleted

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip
Updated

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>Dnnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>Dnnny.class
Disinfection failed

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip=>Dnnny.class
Deleted

C:\Documents and Settings\Jose\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-794f21-74b87de7.zip
Updated

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2709A6C1.dat=>(gzip)
Infected with: Trojan.Peed.HST

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2709A6C1.dat=>(gzip)
Disinfection failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2709A6C1.dat=>(gzip)
Deleted

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2709A6C1.dat
Update failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2C0C2CC4.dat=>(gzip)
Suspected of: Trojan.ZPack.A

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2C0C2CC4.dat=>(gzip)
Disinfection failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2C0C2CC4.dat=>(gzip)
Deleted

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil2C0C2CC4.dat
Update failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil6AA306C4.dat=>(gzip)
Suspected of: Trojan.ZPack.A

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil6AA306C4.dat=>(gzip)
Disinfection failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil6AA306C4.dat=>(gzip)
Deleted

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\fil6AA306C4.dat
Update failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filEEB43E99.dat=>(gzip)
Infected with: Trojan.Peed.HST

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filEEB43E99.dat=>(gzip)
Disinfection failed

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filEEB43E99.dat=>(gzip)
Deleted

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\filEEB43E99.dat
Update failed

C:\RECYCLER\S-1-5-21-1844237615-1343024091-1060284298-1006\Dc2.tmp
Infected with: Trojan.Grum.F

C:\RECYCLER\S-1-5-21-1844237615-1343024091-1060284298-1006\Dc2.tmp
Disinfection failed

C:\RECYCLER\S-1-5-21-1844237615-1343024091-1060284298-1006\Dc2.tmp
Deleted

C:\SDFix\backups\backups.zip=>backups/windev-1462-c9c.sys
Infected with: Trojan.Peed.OD

C:\SDFix\backups\backups.zip=>backups/windev-1462-c9c.sys
Disinfection failed

C:\SDFix\backups\backups.zip=>backups/windev-1462-c9c.sys
Deleted

C:\SDFix\backups\backups.zip
Updated

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016953.sys
Infected with: Trojan.Peed.OD

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016953.sys
Disinfection failed

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016953.sys
Deleted

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016960.sys
Infected with: Trojan.Peed.OD

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016960.sys
Disinfection failed

C:\System Volume Information\_restore{8F3DC337-F381-424F-9390-547027E7A464}\RP4\A0016960.sys
Deleted

C:\WINDOWS\system32\Down(1).exe
Infected with: Backdoor.Hupigon.ELI

C:\WINDOWS\system32\Down(1).exe
Disinfection failed

C:\WINDOWS\system32\Down(1).exe
Deleted



___________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 11:28:54 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110054201592
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7D8A0B-EB16-4D8A-80E9-DA67A1035CFD}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{11660403-9A7C-4788-85FA-2C5E6F6CBB35}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DB2415-E32F-47E3-8028-6874DF832E79}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{5743A089-4D90-4653-9CE9-3B2DE0F18C40}: NameServer = 143.166.224.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A27B4D-FD6B-408E-9692-DB10E36811BB}: NameServer = 143.166.224.3
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#6 digitalman959

digitalman959
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 05 June 2007 - 10:56 PM

Before leaving, I logged to a non-administrator account I have and as soon as I log on there's a message saying that windows can't find the file Windows\ServicePackFiles\services.exe. When I hit OK I get another one saying that if the file doesn't exist I should delete the reference from the registry. FYI.

Regards.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 06 June 2007 - 05:57 AM

Before leaving, I logged to a non-administrator account I have and as soon as I log on there's a message saying that windows can't find the file Windows\ServicePackFiles\services.exe. When I hit OK I get another one saying that if the file doesn't exist I should delete the reference from the registry.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xem]

*************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Exit Hijackthis:

*************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
SDFix.exe
Combofix

C:\SDFix
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#8 digitalman959

digitalman959
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 07 June 2007 - 07:46 AM

Everything's done now. The machine is working fine so far but there are a couple of things that I would like your opinion on them. First, I made the reg.fix you sent me but I still have the services.exe message everytime I log to my non-admin account. I can still work on the account but I would like to know if this can be fix. Second, I checked the startup programs on my msconfig and I found three entries that I had unchecked before because I suspected that they were infection-related (this was before we started this process). One is 1550, the other is ntos, and the third one can't recall the name right now. I started all this thing because I had found the ntos entry and when I searched and found that I was malware-related I tried to remove it. After that we got to the point where I asked for help here. Is there a way to remove those entries?

Last but not least, let me thank you for your excellent assistance in this matter. :thumbsup:

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 07 June 2007 - 08:10 AM

First, I made the reg.fix you sent me but I still have the services.exe message everytime I log to my non-admin account. I can still work on the account but I would like to know if this can be fix.

Log onto your non-admin account and run Combofix,post the Combofix.txt into your next reply.

Second, I checked the startup programs on my msconfig and I found three entries that I had unchecked before because I suspected that they were infection-related (this was before we started this process). One is 1550, the other is ntos, and the third one can't recall the name right now. I started all this thing because I had found the ntos entry and when I searched and found that I was malware-related I tried to remove it. After that we got to the point where I asked for help here. Is there a way to remove those entries?

To remove disabled items from the startup list in msconfig:
Click on Start/Run,type regedit then press Ok.
Navigate to the two following registry locations and delete the unwated subkeys of:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SharedTools\MSConfig\startupfolder
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

If you're unsure what you're doing,backup the registry first by doing the following:
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.
Posted Image
Posted Image

#10 digitalman959

digitalman959
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 June 2007 - 06:30 AM

I ran the combofix and it fixed the services.exe thing but I noticed the on another admin account I have I ran hjt and found the services.exe entry. I know how to fix it now since the entry was completely removed from the non-admin account after running the ComboFix. My question now is, how careful do I have to be when scanning and removing things on my PC when I have at least three accounts? Like, do I have to run everything (spyware or antivirus scans and other removal tools) on each account? I was always under the impression that everything you do from the admin account affects the rest of the machine. Please, give me your thoughts about this or let me know if you have seen a post covering the theme about having more than one account on the computer. Thanks!

OK, now here's the ComboFix log.

Regards.



"Jose" - 2007-06-08 6:01:19 Service Pack 2 NTFS
ComboFix 07-06-06 - Running from: ""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Jose\www.google.com\favicon.ico
C:\Documents and Settings\Jose\www.google.com\google_files
C:\Documents and Settings\Jose\www.google.com\google_files\hp0.gif
C:\Documents and Settings\Jose\www.google.com\google_files\hp1.gif
C:\Documents and Settings\Jose\www.google.com\google_files\hp2.gif
C:\Documents and Settings\Jose\www.google.com\google_files\hp3.gif
C:\Documents and Settings\Jose\www.google.com\index.html
C:\Documents and Settings\Jose\www.google.com\thank.html


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-07 18:31 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-07 17:35 69,199,326 --a------ C:\registrybackup.reg
2007-06-06 21:54 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-06-05 23:45 <DIR> d-------- C:\DOCUME~1\Jose\APPLIC~1\TuneUp Software
2007-06-05 21:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-04 18:06 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 09:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-03 09:13 <DIR> d-------- C:\ff50e744667cf96f40de4fbce1683fe6
2007-06-03 09:07 <DIR> d-------- C:\c11f09d7a715aa34e55c
2007-06-02 22:53 <DIR> d-------- C:\3e331689ac819dc4c013d380a6a6f0
2007-06-02 22:48 <DIR> d-------- C:\a620a4c77d65e2affac882f4759a72
2007-06-02 22:36 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-02 22:18 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2007-06-02 22:18 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2007-06-02 22:16 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-02 20:47 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-06-02 20:43 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-06-02 20:43 95,744 --a------ C:\WINDOWS\system32\mqsec.dll
2007-06-02 20:43 92,504 --a------ C:\WINDOWS\system32\cdm.dll
2007-06-02 20:43 9,216 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-06-02 20:43 89,088 --a------ C:\WINDOWS\system32\mqlogmgr.dll
2007-06-02 20:43 78,336 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-06-02 20:43 755,200 --a------ C:\WINDOWS\system32\ir50_32.dll
2007-06-02 20:43 73,728 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-06-02 20:43 73,216 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-06-02 20:43 72,960 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-06-02 20:43 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-06-02 20:43 67,584 --a------ C:\WINDOWS\system32\openfiles.exe
2007-06-02 20:43 660,992 --a------ C:\WINDOWS\system32\mqqm.dll
2007-06-02 20:43 65,536 --a------ C:\WINDOWS\system32\nwwks.dll
2007-06-02 20:43 61,440 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-06-02 20:43 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-02 20:43 596,992 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-06-02 20:43 59,392 --a------ C:\WINDOWS\system32\logman.exe
2007-06-02 20:43 566,784 --a------ C:\WINDOWS\system32\gpedit.dll
2007-06-02 20:43 56,320 --a------ C:\WINDOWS\system32\cipher.exe
2007-06-02 20:43 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-06-02 20:43 517,632 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-06-02 20:43 50,176 --a------ C:\WINDOWS\system32\eventcreate.exe
2007-06-02 20:43 48,640 --a------ C:\WINDOWS\system32\mqupgrd.dll
2007-06-02 20:43 471,552 --a------ C:\WINDOWS\system32\mqutil.dll
2007-06-02 20:43 47,104 --a------ C:\WINDOWS\system32\mqdscli.dll
2007-06-02 20:43 44,928 --a------ C:\WINDOWS\system32\drivers\agpcpq.sys
2007-06-02 20:43 43,008 --a------ C:\WINDOWS\system32\drivers\amdagp.sys
2007-06-02 20:43 42,752 --a------ C:\WINDOWS\system32\drivers\alim1541.sys
2007-06-02 20:43 42,368 --a------ C:\WINDOWS\system32\drivers\agp440.sys
2007-06-02 20:43 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2007-06-02 20:43 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2007-06-02 20:43 4,608 --a------ C:\WINDOWS\system32\mqsvc.exe
2007-06-02 20:43 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-06-02 20:43 338,432 --a------ C:\WINDOWS\system32\ir41_qcx.dll
2007-06-02 20:43 30,208 --a------ C:\WINDOWS\system32\asr_fmt.exe
2007-06-02 20:43 295,936 --a------ C:\WINDOWS\system32\appmgr.dll
2007-06-02 20:43 26,624 --a------ C:\WINDOWS\system32\efsadu.dll
2007-06-02 20:43 259,584 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-06-02 20:43 24,064 --a------ C:\WINDOWS\system32\pidgen.dll
2007-06-02 20:43 225,280 --a------ C:\WINDOWS\system32\mqoa.dll
2007-06-02 20:43 200,192 --a------ C:\WINDOWS\system32\ir50_qc.dll
2007-06-02 20:43 198,656 --a------ C:\WINDOWS\system32\gptext.dll
2007-06-02 20:43 192,000 --a------ C:\WINDOWS\system32\iuengine.dll
2007-06-02 20:43 19,968 --a------ C:\WINDOWS\system32\mqbkup.exe
2007-06-02 20:43 186,880 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-06-02 20:43 183,808 --a------ C:\WINDOWS\system32\ir50_qcx.dll
2007-06-02 20:43 18,432 --a------ C:\WINDOWS\system32\secedit.exe
2007-06-02 20:43 177,152 --a------ C:\WINDOWS\system32\mqrt.dll
2007-06-02 20:43 167,936 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-06-02 20:43 163,584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-06-02 20:43 16,896 --a------ C:\WINDOWS\system32\mqise.dll
2007-06-02 20:43 138,240 --a------ C:\WINDOWS\system32\mqad.dll
2007-06-02 20:43 123,392 --a------ C:\WINDOWS\system32\mqrtdep.dll
2007-06-02 20:43 121,856 --a------ C:\WINDOWS\system32\schtasks.exe
2007-06-02 20:43 120,320 --a------ C:\WINDOWS\system32\ir41_qc.dll
2007-06-02 20:43 119,808 --a------ C:\WINDOWS\system32\gpresult.exe
2007-06-02 20:43 117,248 --a------ C:\WINDOWS\system32\mqtgsvc.exe
2007-06-02 20:43 107,520 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-06-02 20:43 1,710,936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-06-02 20:43 1,200,128 --a------ C:\WINDOWS\system32\ntbackup.exe
2007-06-02 20:42 994,304 --a------ C:\WINDOWS\system32\msgina.dll
2007-06-02 20:42 981,760 --a------ C:\WINDOWS\system32\mfc42u.dll
2007-06-02 20:42 98,304 --a------ C:\WINDOWS\system32\cscript.exe
2007-06-02 20:42 98,304 --a------ C:\WINDOWS\system32\ahui.exe
2007-06-02 20:42 97,280 --a------ C:\WINDOWS\system32\loadperf.dll
2007-06-02 20:42 96,768 --a------ C:\WINDOWS\system32\psbase.dll
2007-06-02 20:42 94,208 --a------ C:\WINDOWS\system32\odbcint.dll
2007-06-02 20:42 92,672 --a------ C:\WINDOWS\system32\dskquota.dll
2007-06-02 20:42 92,224 --a------ C:\WINDOWS\system32\krnl386.exe
2007-06-02 20:42 92,168 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-06-02 20:42 90,624 --a------ C:\WINDOWS\system32\mydocs.dll
2007-06-02 20:42 9,728 --a------ C:\WINDOWS\system32\gpkrsrc.dll
2007-06-02 20:42 9,344 --a------ C:\WINDOWS\system32\framebuf.dll
2007-06-02 20:42 9,216 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-06-02 20:42 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2007-06-02 20:42 875,008 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-06-02 20:42 87,552 --a------ C:\WINDOWS\system32\fldrclnr.dll
2007-06-02 20:42 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-02 20:42 87,040 --a------ C:\WINDOWS\system32\mprapi.dll
2007-06-02 20:42 87,040 --a------ C:\WINDOWS\system32\drmstor.dll
2007-06-02 20:42 86,016 --a------ C:\WINDOWS\system32\netsh.exe
2007-06-02 20:42 86,016 --a------ C:\WINDOWS\system32\msapsspc.dll
2007-06-02 20:42 85,504 --a------ C:\WINDOWS\system32\makecab.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 02:42:13 -------- d-----w C:\Program Files\eMule
2007-06-07 01:37:41 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-03 02:15:54 -------- d-----w C:\Program Files\Movie Maker
2007-06-03 02:15:37 -------- d-----w C:\Program Files\Windows NT
2007-06-02 20:46:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 01:31:57 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-25 00:53:54 -------- d-----w C:\Program Files\Online Services
2007-05-17 21:45:24 2,504 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-17 15:25:51 -------- d-----w C:\Program Files\Conquer 2.0
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-01 19:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-06-03 12:42]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-01 21:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-06-01 21:15:00 C:\WINDOWS\tasks\1-Klick-Wartung.job
2007-06-03 14:09:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 06:03:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 6:04:18
C:\ComboFix-quarantined-files.txt ... 2007-06-08 06:04

--- E O F ---

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 08 June 2007 - 07:59 AM

My question now is, how careful do I have to be when scanning and removing things on my PC when I have at least three accounts? Like, do I have to run everything (spyware or antivirus scans and other removal tools) on each account?

You should run all the scans on all user accounts on your pc,the Combofix results above prove it.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users