Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Badly Infected, Need Help Cleaning It Up


  • Please log in to reply
29 replies to this topic

#1 rsk3

rsk3

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 11 June 2007 - 12:04 PM

PC had a ton of pop-ups. Spybot and Ad-Aware said I had AdSPy.TTC, Advertising.com, Smitfraud_C.Toolbar888. They seemd to get rid of all but AdSpy.TTC. After reading a number of threads, I downloaded ATF-Cleaner and ran it, then Vundofix. This seemd to get rid of both the AdSpy and Smitfraud, but the PC still showed 100% busy as soon as I booted. I then downloaded and ran SuperAntispyware...that found a bunch more visueses and said it cleaned them up. CPU still at 100%, with system running 40-65% of it.
I then ran Kaspersky online. That found, among other things, Downloader.Win32.Agent.awf.
Please help me clean this up. I've attached a HJT log, combofix log and the Kaspersky online log. (I can't figure out how to attach the logs, so I cut and pasted them here).


Logfile of HijackThis v1.99.0
Scan saved at 9:16:08 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\LEXMAR~1\bak\LXBRKsk.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\program files\internet explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136748756234
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

"Owner" - 2007-06-09 0:58:46 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 00:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-06-09 00:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-09 00:16 <DIR> d-------- C:\Program Files\Comodo
2007-06-07 20:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-06-07 20:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-06-07 20:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-07 20:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 22:02 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-06 21:01 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-05 18:29 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-05 07:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-05 07:36 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-06-05 07:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-06-05 07:25 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-06-05 06:53 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-04 20:00 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-04 18:29 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-04 17:57 <DIR> d-------- C:\VundoFix Backups
2007-06-02 16:10 <DIR> d-------- C:\spoolerlogs
2007-05-31 20:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-28 17:04 35,840 --a------ C:\WINDOWS\system32\__c00B9F51.dat
2007-05-25 16:47 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 12:07:19 -------- d-----w C:\Program Files\Iritudio
2007-06-07 22:52:11 -------- d-----w C:\Program Files\HJT
2007-06-06 02:12:20 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-05 12:30:15 -------- d-----w C:\Program Files\AIM6
2007-06-02 20:27:06 -------- d-----w C:\Program Files\Google
2007-05-27 14:59:00 -------- d-----w C:\Program Files\QuickTime
2007-05-27 14:58:58 -------- d-----w C:\Program Files\OfficeUpdate11
2007-05-27 14:58:55 -------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-05-27 14:58:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 14:58:52 -------- d-----w C:\Program Files\HP Instant Support
2007-05-27 14:58:45 -------- d-----w C:\Program Files\Apple Software Update
2007-04-26 15:13:26 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\U3
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 02:43:01 -------- d-----w C:\Program Files\LimeWire
2007-03-22 23:44:28 2,436 ----a-w C:\WINDOWS\system32\tmp.reg
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
1989-12-12 15:10:10 380,000 --sh--r C:\WINDOWS\pibjuzq.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2007-01-22 21:46]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2007-01-22 21:46]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2007-01-22 21:46]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2007-01-22 21:46]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-09 00:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Notn"="C:\Program Files\apsi\wtta.exe" -vt tzt
"fqfk"=C:\PROGRA~1\COMMON~1\fqfk\fqfkm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvbb01]
yvbb01.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvpp01]
yvpp01.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\yvbb02.sys]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"BackupNotify"=c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxRootkitRemovalTool"="C:\Documents and Settings\Owner\Desktop\9A73F44.exe" -scan

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c87cd712-b3a9-11db-8840-000c769d798a}]
AutoRun\command- K:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
2007-06-06 20:52:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 05:00:00 C:\WINDOWS\tasks\At1.job
2007-06-08 14:00:00 C:\WINDOWS\tasks\At10.job
2007-06-08 15:00:00 C:\WINDOWS\tasks\At11.job
2007-06-08 16:00:00 C:\WINDOWS\tasks\At12.job
2007-06-08 17:00:00 C:\WINDOWS\tasks\At13.job
2007-06-08 18:00:00 C:\WINDOWS\tasks\At14.job
2007-06-08 19:00:00 C:\WINDOWS\tasks\At15.job
2007-06-08 20:00:00 C:\WINDOWS\tasks\At16.job
2007-06-08 21:00:00 C:\WINDOWS\tasks\At17.job
2007-06-05 22:00:00 C:\WINDOWS\tasks\At18.job
2007-06-08 23:00:01 C:\WINDOWS\tasks\At19.job
2007-06-09 06:00:00 C:\WINDOWS\tasks\At2.job
2007-06-09 00:00:00 C:\WINDOWS\tasks\At20.job
2007-06-09 01:00:00 C:\WINDOWS\tasks\At21.job
2007-06-09 02:00:00 C:\WINDOWS\tasks\At22.job
2007-06-09 03:00:00 C:\WINDOWS\tasks\At23.job
2007-06-09 04:00:00 C:\WINDOWS\tasks\At24.job
2007-06-09 07:00:00 C:\WINDOWS\tasks\At3.job
2007-06-09 08:00:00 C:\WINDOWS\tasks\At4.job
2007-06-08 09:00:00 C:\WINDOWS\tasks\At5.job
2007-06-08 10:00:00 C:\WINDOWS\tasks\At6.job
2007-06-06 11:00:00 C:\WINDOWS\tasks\At7.job
2007-06-06 12:00:00 C:\WINDOWS\tasks\At8.job
2007-06-08 13:00:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 02:25:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 3:10:49

--- E O F ---

KASPERSKY ONLINE SCANNER REPORT

Sunday, June 10, 2007 4:08:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 320783
Scan using the following antivirus database
standard
Scan Archives
true
Scan Mail Bases
true
Scan Target
My Computer

A:
C:
D:
E:
F:
G:
H:
I:
J:
L:

Scan Statistics

Total number of scanned objects
90357

Number of viruses found
45

Number of infected objects
496
Number of suspicious objects
8
Duration of the scan process
01:32:33

Infected Object Name
Virus Name
Last Action

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
Infected: Trojan-Spy.Win32.VBStat.h
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\LocalService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT
<td>Object is locked
<td>skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Owner\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007061020070611\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG
Object is locked
skipped

C:\news.htm
Infected: Trojan-Clicker.JS.Linker.j
skipped

C:\Program Files\AIM\aim.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\AWS\WeatherBug\Weather.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Lexmark 3100 Series\LXBRKsk.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Microsoft AntiSpyware\Quarantine\8924DA34-984F-444E-8C22-9208D1\3B30A26C-E46D-4C27-AEB0-176C49/data0002 </td>
Infected: Trojan-Dropper.Win32.Small.qn
skipped

C:\Program Files\Microsoft AntiSpyware\Quarantine\8924DA34-984F-444E-8C22-9208D1\3B30A26C-E46D-4C27-AEB0-176C49/data0003/data0006 </td>
Infected: Backdoor.Win32.HacDef.bo
skipped

C:\Program Files\Microsoft AntiSpyware\Quarantine\8924DA34-984F-444E-8C22-9208D1\3B30A26C-E46D-4C27-AEB0-176C49/data0003 </td>
Infected: Backdoor.Win32.HacDef.bo
skipped

C:\Program Files\Microsoft AntiSpyware\Quarantine\8924DA34-984F-444E-8C22-9208D1\3B30A26C-E46D-4C27-AEB0-176C49
NSIS: infected - 3
skipped

C:\Program Files\Multimedia Card Reader\shwicon2k.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped

C:\WINDOWS\system32\ahucsapi.exe
Infected: Trojan.Win32.Crypt.t
skipped

C:\WINDOWS\system32\aisysUS.exe/data0002
Infected: Trojan-Downloader.Win32.Apropo.e
skipped

C:\WINDOWS\system32\aisysUS.exe
NSIS: infected - 1
skipped

C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\default
Object is locked
skipped

C:\WINDOWS\system32\config\default.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SAM
Object is locked
skipped

C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\software
Object is locked
skipped

C:\WINDOWS\system32\config\software.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\system
Object is locked
skipped

C:\WINDOWS\system32\config\system.LOG
Object is locked
skipped

C:\WINDOWS\system32\InstallerV5.exe/data0006
Infected: Backdoor.Win32.HacDef.bo
skipped

C:\WINDOWS\system32\InstallerV5.exe
NSIS: infected - 1
skipped

C:\WINDOWS\system32\iprcba.exe
Infected: Trojan.Win32.Crypt.t
skipped

C:\WINDOWS\system32\msnhed20.exe
Infected: Trojan.Win32.Crypt.t
skipped

C:\WINDOWS\system32\qbi3sys.exe/data0002
Infected: Trojan.Win32.QuickBrowser.a
skipped

C:\WINDOWS\system32\qbi3sys.exe/data0003
Infected: Trojan.Win32.QuickBrowser.c
skipped

C:\WINDOWS\system32\qbi3sys.exe
NSIS: infected - 2
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped

C:\WINDOWS\system32\__c00B9F51.dat
Suspicious: Packed.Win32.Morphine.a
skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 16 June 2007 - 04:01 AM

Hi rsk3, :huh:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

I've attached a HJT log, combofix log and the Kaspersky online log. (I can't figure out how to attach the logs, so I cut and pasted them here)


Don't attach logs please but copy/paste them into this thread. :flowers:

Edited by Falu, 16 June 2007 - 04:02 AM.


#3 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 19 June 2007 - 09:44 AM

Since the original post, I've since run Vundofix, Stinger and Smitfraud. They cleaned some stuff up, but the slowness remains. The only thing that sees the virus is Kaspersky online scan...it sees Trojan-Downloader.Win32.Agent.awf.
Spybot, Smitfraud, AdAware and Vundofix all run clean. when I boot in safe mode with networking, it runs very fast. when I boot in normal mode, it's always at 100%. I've also downloaded all MS security and OS patches and have installed COMODO. I haven't upgraded Java.

Here's the Kaspersky log:
Ill download the newer version of HJT, as it won't let me post the log here



KASPERSKY ONLINE SCANNER REPORT

Monday, June 18, 2007 9:16:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/06/2007
Kaspersky Anti-Virus database records: 327065

Scan Settings
Scan using the following antivirus database
standard

Scan Archives
true

Scan Mail Bases
true

Scan Target
My Computer

A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan Statistics

Total number of scanned objects
88382

Number of viruses found
2

Number of infected objects
9

Number of suspicious objects
0

Duration of the scan process
01:28:26


Infected Object Name
Virus Name
Last Action

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
Infected: Trojan-Spy.Win32.VBStat.h
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
<td>Object is locked
<td>skipped

C:\Documents and Settings\LocalService\NTUSER.DAT
Object is locked
skipped

<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG
<td>Object is locked
<td>skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Owner\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007061820070619\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Owner\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Owner\UserData\index.dat
Object is locked
skipped

C:\Program Files\AIM\aim.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\AWS\WeatherBug\Weather.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Lexmark 3100 Series\LXBRKsk.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\Program Files\Multimedia Card Reader\shwicon2k.exe
Infected: Trojan-Downloader.Win32.Agent.awf
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\default
Object is locked
skipped

C:\WINDOWS\system32\config\default.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SAM
Object is locked
skipped

C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\software
Object is locked
skipped

C:\WINDOWS\system32\config\software.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\system
Object is locked
skipped

C:\WINDOWS\system32\config\system.LOG
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped

Scan process completed.

#4 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 20 June 2007 - 09:12 AM

I downloaded the new version of HJT...here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 5:45:58 PM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136748756234
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yvbb01 - yvbb01.dll (file missing)
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 20 June 2007 - 03:44 PM

Hi rsk3, :thumbsup:

It looks like you have posted a HijackThislog made in safe mode. I would like to see one from Normal mode, so if you're still in safe mode reboot.

Furthermore you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.

#6 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 21 June 2007 - 08:37 AM

Re-installed HJT per your instructions, here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:53:00 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136748756234
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yvbb01 - yvbb01.dll (file missing)
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 23 June 2007 - 09:19 AM

Hi rsk3, :thumbsup:

I hate to be the bearer of bad news but, your log shows a very dangerous Trojan is residing on your PC: Backdoor.Haxdoor.I which is a Trojan horse that opens a back door on a compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops a rootkit that also runs in Safe mode, making this threat difficult to remove.
It is possible that the remote attacker has added multiple backdoors and/or accounts or even rooted the computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Visit the following sites for more information on internet theft and when to reformat!

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before to come to a final decision, please feel free to ask.

Please let me know your decision; in the meantime don't do anything other than instructed above!

#8 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 23 June 2007 - 01:32 PM

I'd like to take a try at cleaning it up...that would at least allow me to get my files, music, etc off it.

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 23 June 2007 - 04:06 PM

Hi rsk3, :thumbsup:

I'd like to take a try at cleaning it up...that would at least allow me to get my files, music, etc off it.


Do you have an external harddisk or an alternative storage system (USB stick, CD's) large enough to copy your entire disk so you can be sure that you don't lose anything (bookmarks, e-mail, passwords, IP dadresses, usernames etc.)? There are some free programmes to help you do the job like: WinBackup 1.86.

So it is possible to reformat but keep your music etc.: scan files with an antivirus before installing them again on your reformatted computer, since they came from an infected computer.

You still want to clean up your computer?

#10 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 24 June 2007 - 10:03 AM

I'd like to try to clen it up as much as possible. I do have a CD burner on it. I can't copy any files now because as soon as I boot it's at 100%, so I can't copy anything to the cd. If I can get it cleaned up enough to copy my stuff, then I'll get it re-formatted.

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 25 June 2007 - 12:44 PM

Hi rsk3, :thumbsup:

I'd like to try to clen it up as much as possible. I do have a CD burner on it. I can't copy any files now because as soon as I boot it's at 100%, so I can't copy anything to the cd. If I can get it cleaned up enough to copy my stuff, then I'll get it re-formatted.


Okay let's see what we can do.

Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread.

#12 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 June 2007 - 05:48 PM

Here's the haxfix log:

HAXFIX logfile - by Marckie

version 4.47
Mon 06/25/2007 17:40:20.37

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
matching notify keys found
yvbb
yvpp

checking for matching services
matching services found
Aspi32
yvbb01
yvbb02

checking for matching safeboot services
matching safeboot services found
yvbb02.sys

checking for other Haxdoor-files
yvpp01.dll found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 17:40:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\notsub01.txt
C:\safeserv.txt
C:\serv.txt

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 26 June 2007 - 01:36 PM

Hi rsk3, :thumbsup:

Open this folder program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot.
Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.

#14 rsk3

rsk3
  • Topic Starter

  • Banned Spammer
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 27 June 2007 - 08:41 AM

Ran the haxfix.bat...looks like it cleaned up all but services...here's HJT and haxfix logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:42 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136748756234
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

HAXFIX logfile - by Marckie

version 4.47
Tue 06/26/2007 20:46:27.17

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32
yvbb01
yvbb02

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 20:45:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 28 June 2007 - 12:27 PM

Hi rsk3, :thumbsup:

1. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone


Weatherbug is a program that sits in your System Tray (next to the clock) and delivers the weather. It used to come with spyware, and whilst the latest version is spyware free, it is an advertisment-supported program which many users find annoying. There is a very good ad-free alternative: Weather Pulse!

Right-click the Weatherbug icon on your taskbar and delete it. Then click Start > All Programmes and search the list for Weatherbug: click Uninstall Weatherbug. Checkmark the following entry:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

2. Download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Please post the F-Secure report along with a fresh HijackThis log!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users