Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tough Infection


  • Please log in to reply
3 replies to this topic

#1 Linthorn

Linthorn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 06 June 2007 - 09:15 AM

I've run spy-bot, Lavasoft, and ComboFix and still get loads of hits when I scan. Here is my Log

Logfile of HijackThis v1.99.1
Scan saved at 09:58, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Daemon\daemon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\SYSTEM32\?ppPatch\l?ass.exe
C:\DOCUME~1\delynch\MYDOCU~1\CROSOF~1.NET\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\delynch\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: WordReferenceEnIt - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.Exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\delynch\MYDOCU~1\CROSOF~1.NET\wuauclt.exe" -vt ndrv
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'ctxnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://asrcfharchive.domain.asrcaerospace.com
O15 - Trusted Zone: csg.asrcaerospace.com
O15 - Trusted Zone: bai.integear.net
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://portal.domain.asrcaerospace.com/Web...bsiteViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144416450279
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://cag.asrcfederal.com/net6helper.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference.com/Install/defin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-p.../ra/ieatgpc.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://csg.asrcfederal.com/asrcfh/cds/CGC/en/CSGProxy.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.asrcaerospace.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 06 June 2007 - 02:13 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Linthorn :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


**************************

Now go to:
C:\Documents and Settings\delynch\Desktop\hijackthis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Linthorn

Linthorn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 06 June 2007 - 11:16 PM

Ok I did everything (note, I continued to try fixing it before I knew how quickly you would respond). VundoFix identified the vundo files and claims it deleted them. Here are my logs. (Why did I rename HJT?).

After everything I rebooted the system and it appears that it is finally clean. Thanks so much. I can't say I would have guessed that sequence.


VundoFix V6.4.2

Checking Java version...

Scan started at 9:37:41 PM 06-06-07

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\cbxvurs.dll
C:\WINDOWS\SYSTEM32\jthxjver.ini
C:\WINDOWS\SYSTEM32\ljhgeee.dll
C:\WINDOWS\SYSTEM32\pmnooom.dll
C:\WINDOWS\system32\pqpoq.bak1
C:\WINDOWS\system32\pqpoq.ini
C:\WINDOWS\system32\pqpoq.ini2
C:\WINDOWS\system32\pqpoq.tmp
C:\WINDOWS\SYSTEM32\qomljkk.dll
C:\WINDOWS\system32\qopqp.dll
C:\WINDOWS\SYSTEM32\revjxhtj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\cbxvurs.dll
C:\WINDOWS\SYSTEM32\cbxvurs.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jthxjver.ini
C:\WINDOWS\SYSTEM32\jthxjver.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ljhgeee.dll
C:\WINDOWS\SYSTEM32\ljhgeee.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pmnooom.dll
C:\WINDOWS\SYSTEM32\pmnooom.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pqpoq.bak1
C:\WINDOWS\system32\pqpoq.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqpoq.ini
C:\WINDOWS\system32\pqpoq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqpoq.ini2
C:\WINDOWS\system32\pqpoq.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqpoq.tmp
C:\WINDOWS\system32\pqpoq.tmp Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qomljkk.dll
C:\WINDOWS\SYSTEM32\qomljkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qopqp.dll
C:\WINDOWS\system32\qopqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\revjxhtj.dll
C:\WINDOWS\SYSTEM32\revjxhtj.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\pmnooom.dll
C:\WINDOWS\SYSTEM32\pmnooom.dll Has been deleted!

Performing Repairs to the registry.
Done!


"delynch" - 2007-06-06 21:59:27 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\delynch\Desktop\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\DOCUME~1\delynch\MYDOCU~1\CROSOF~1.NET
C:\WINDOWS\SYSTEM32\SMANTE~1


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-06 21:37 <DIR> d-------- C:\VundoFix Backups
2007-06-06 15:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 15:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-06 15:40 <DIR> d-------- C:\DOCUME~1\delynch\APPLIC~1\SUPERAntiSpyware.com
2007-06-06 15:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 00:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 23:38 1,112,271 --a------ C:\ComboFix.exe
2007-06-05 15:48 14,868 --a------ C:\WINDOWS\SYSTEM32\qhbpvjuw.exe
2007-06-05 15:48 10,752 --a------ C:\WINDOWS\SYSTEM32\j0221339.dll
2007-06-05 15:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\ąppPatch
2007-06-05 15:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\TQ0
2007-06-05 15:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\T6
2007-06-05 15:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\T1QaSQ
2007-06-05 15:30 <DIR> d-------- C:\Temp\x2b
2007-06-05 15:30 <DIR> d-------- C:\Temp
2007-05-30 14:40 607,744 --a------ C:\WINDOWS\LkMEUninst.exe
2007-05-30 14:40 475,136 --a------ C:\WINDOWS\LK_C4.DLL
2007-05-30 11:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-30 11:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-05-15 13:33 <DIR> d-------- C:\Program Files\WebEx
2007-05-15 11:08 32,592 --a------ C:\WINDOWS\SYSTEM32\msonpmon.dll
2007-05-15 10:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-05-08 16:12 <DIR> d-------- C:\Program Files\Mindjet
2007-05-08 16:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mindjet


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 20:58:46 -------- d-----w C:\Program Files\TextAloud
2007-06-06 04:35:15 -------- d-----w C:\Program Files\Google
2007-06-06 04:30:13 -------- d-----w C:\Program Files\Intel
2007-06-06 03:56:14 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-30 18:40:56 -------- d-----w C:\Program Files\LearnKey
2007-05-24 15:13:23 -------- d-----w C:\Program Files\Quicken
2007-05-17 14:52:42 34,000 ----a-w C:\DOCUME~1\delynch\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-03 19:20:35 249,856 ------w C:\WINDOWS\Setup1.exe
2007-05-03 19:20:30 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-05-01 05:16:48 90,112 ----a-w C:\WINDOWS\TIRHService.exe
2007-04-24 18:43:39 -------- d-----w C:\Program Files\Microsoft Bootvis
2007-04-24 18:18:15 -------- d-----w C:\Program Files\Investintech.com Inc
2007-03-30 06:37:40 200,263 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{086AA333-5B78-4095-8659-F1662121BC3A}=C:\WINDOWS\system32\qopqp.dll []
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\WINDOWS\system32\pmnooom.dll []
{492AAE61-8CB8-4A65-84B0-509E1C0C06E2}=\ [2007-06-06 21:59]
{AC41D38F-B56D-40AD-94E0-B493D130C959}=C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll [2006-12-14 00:23]
{B16F8052-1A10-4967-9F98-1A21ECC782F2}=C:\PROGRA~1\WORDRE~1\tbu1C6\WORDRE~1.DLL []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 01:07]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 18:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 15:30]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2002-12-17 22:16]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"DAEMON Tools-1033"="C:\Program Files\Daemon\daemon.exe" [2004-08-22 17:05]
"@"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"WinVNC"="C:\Program Files\ORL\VNC\WinVNC.exe" [2001-03-16 15:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 17:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\WINDOWS\system32\pmnooom.dll" []
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnooom]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qopqp]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-20216\Scripts\Logon\0\0]
"Script"=execmgmt2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-20216\Scripts\Logon\1\0]
"Script"=hrnt.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-20216\Scripts\Logon\1\1]
"Script"=IT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-20216\Scripts\Logon\1\2]
"Script"=newpro.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-23463\Scripts\Logon\0\0]
"Script"=execmgmt2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-23463\Scripts\Logon\1\0]
"Script"=hrnt.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-23463\Scripts\Logon\1\1]
"Script"=IT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-921722477-1114968047-1190612905-23463\Scripts\Logon\1\2]
"Script"=newpro.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^delynch^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\delynch\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]
rundll32.exe "C:\WINDOWS\system32\qyctipht.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j0221339]
rundll32 C:\WINDOWS\system32\j0221339.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
"C:\DOCUME~1\delynch\MYDOCU~1\DOBE~1\smss.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\ORL\VNC\WinVNC.Exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzcnsoyA]
C:\WINDOWS\zzcnsoyA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=3 (0x3)
"TIRmtSvc"=2 (0x2)
"TIRmtCtl"=2 (0x2)
"SLClient"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"IDriverT"=3 (0x3)
"DWMRCS"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7644ad1-7c3d-11d9-a151-806d6172696f}]
AutoRun\command- NOTEPAD README.TXT


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 22:04:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-06 22:05:28
C:\ComboFix-quarantined-files.txt ... 2007-06-06 22:05
C:\ComboFix2.txt ... 2007-06-06 00:19

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 22:10, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Daemon\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\delynch\Desktop\hijackthis\xyz.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086AA333-5B78-4095-8659-F1662121BC3A} - C:\WINDOWS\system32\qopqp.dll (file missing)
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\pmnooom.dll (file missing)
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {492AAE61-8CB8-4A65-84B0-509E1C0C06E2} - \
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: XBTP09580 - {B16F8052-1A10-4967-9F98-1A21ECC782F2} - C:\PROGRA~1\WORDRE~1\tbu1C6\WORDRE~1.DLL (file missing)
O2 - BHO: (no name) - {BB457568-D961-4C4B-BA2A-4BDC4FF44BD3} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.Exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O10 - Broken Internet access because of LSP provider 'ctxnsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://asrcfharchive.domain.asrcaerospace.com
O15 - Trusted Zone: csg.asrcaerospace.com
O15 - Trusted Zone: bai.integear.net
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144416450279
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://cag.asrcfederal.com/net6helper.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-p.../ra/ieatgpc.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://csg.asrcfederal.com/asrcfh/cds/CGC/en/CSGProxy.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.asrcaerospace.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.asrcaerospace.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pmnooom - C:\WINDOWS\
O20 - Winlogon Notify: qopqp - C:\WINDOWS\
O20 - Winlogon Notify: Sebring - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 07 June 2007 - 06:42 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\qhbpvjuw.exe
C:\WINDOWS\SYSTEM32\j0221339.dll

Folders to delete:
C:\WINDOWS\SYSTEM32\TQ0
C:\WINDOWS\SYSTEM32\T6
C:\WINDOWS\SYSTEM32\T1QaSQ
C:\Temp\x2b

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@="Driver"

*****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {086AA333-5B78-4095-8659-F1662121BC3A} - C:\WINDOWS\system32\qopqp.dll (file missing)
O2 - BHO: (no name) - {08C134D3-087C-4139-A98C-3A078358DFDE} - C:\WINDOWS\system32\pmnooom.dll (file missing)
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {492AAE61-8CB8-4A65-84B0-509E1C0C06E2} - \
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {BB457568-D961-4C4B-BA2A-4BDC4FF44BD3} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} -
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O20 - Winlogon Notify: pmnooom - C:\WINDOWS\
O20 - Winlogon Notify: qopqp - C:\WINDOWS\
O20 - Winlogon Notify: Sebring - C:\WINDOWS\


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the Avenger output.txt,the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users