Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pmkhf.dll / Notedad.exe Infection


  • Please log in to reply
7 replies to this topic

#1 picturesofme

picturesofme

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 14 June 2007 - 02:14 PM

Ok, thought I could handle it on my own, but apparently my rudimentary skills are naught compared to the fearsome might of the trojans.

Never, ever, ever let a coworker use your laptop if they're dumb enough to open unknown attachments.

Anyway...I've run Panda, Stinger, AVG, HJT (many, many times...cleaned up a bit that way), CounterSpy, AMUST reg cleaner, etc, etc. All to no avail. If anyone could give me a hand that'd be fabulous...anyway, on with the HJT log:

- - - - -

Logfile of HijackThis v1.99.1
Scan saved at 12:11:28 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mike\Desktop\analyze.exe

O2 - BHO: (no name) - {D5243A6C-CA1C-4213-848E-4E8409FF3537} - C:\WINDOWS\system32\pmkhf.dll
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\menuwocw.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [EndTask Pro] C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - SOFTWARE - (no file) (HKCU)
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



- - - - -

I also seem to have a SuperMWindow infestation that I can't fix, even with the recommended downloads and patch programs. I'm not sure if it's gone or not, but as far as I can tell it isn't.

If there's anything else I should / can do, I'd appreciate any advice. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 14 June 2007 - 04:16 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum picturesofme :thumbsup:

Right click on a blank area of your desktop,select 'New',then select 'Folder'.right click on that new folder 'Rename',rename it to HJT
Now move analyze.exe into the HJT folder and run it from there.

*****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 picturesofme

picturesofme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 14 June 2007 - 05:35 PM

Here's the Vundofix log:


VundoFix V6.5.0

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 3:07:27 PM 6/14/2007

Listing files found while scanning....

C:\windows\system32\bhmbviof.dll
C:\windows\system32\bhnbkowd.dll
C:\windows\system32\egxalmky.ini
C:\windows\system32\erpjihmu.ini
C:\windows\system32\etdvhwjx.ini
C:\windows\system32\fhkmp.bak1
C:\windows\system32\fhkmp.bak2
C:\windows\system32\fhkmp.ini
C:\windows\system32\fhkmp.ini2
C:\windows\system32\fhkmp.tmp
C:\WINDOWS\system32\gyvutcqa.dll
C:\windows\system32\joevbrum.dll
C:\windows\system32\lbfarjfm.ini
C:\WINDOWS\system32\lryeyssl.dll
C:\windows\system32\mfjrafbl.dll
C:\WINDOWS\system32\pmkhf.dll
C:\windows\system32\puaaqsvt.dll
C:\WINDOWS\system32\rclabyyw.dll
C:\WINDOWS\system32\rvselpeu.dll
C:\windows\system32\ryjrdhsb.dll
C:\windows\system32\umhijpre.dll
C:\windows\system32\xjwhvdte.dll
C:\windows\system32\ykmlaxge.dll

Beginning removal...

Attempting to delete C:\windows\system32\bhmbviof.dll
C:\windows\system32\bhmbviof.dll Has been deleted!

Attempting to delete C:\windows\system32\bhnbkowd.dll
C:\windows\system32\bhnbkowd.dll Has been deleted!

Attempting to delete C:\windows\system32\egxalmky.ini
C:\windows\system32\egxalmky.ini Has been deleted!

Attempting to delete C:\windows\system32\erpjihmu.ini
C:\windows\system32\erpjihmu.ini Has been deleted!

Attempting to delete C:\windows\system32\etdvhwjx.ini
C:\windows\system32\etdvhwjx.ini Has been deleted!

Attempting to delete C:\windows\system32\fhkmp.bak1
C:\windows\system32\fhkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\fhkmp.bak2
C:\windows\system32\fhkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\fhkmp.ini
C:\windows\system32\fhkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\fhkmp.ini2
C:\windows\system32\fhkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\fhkmp.tmp
C:\windows\system32\fhkmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyvutcqa.dll
C:\WINDOWS\system32\gyvutcqa.dll Has been deleted!

Attempting to delete C:\windows\system32\joevbrum.dll
C:\windows\system32\joevbrum.dll Has been deleted!

Attempting to delete C:\windows\system32\lbfarjfm.ini
C:\windows\system32\lbfarjfm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lryeyssl.dll
C:\WINDOWS\system32\lryeyssl.dll Has been deleted!

Attempting to delete C:\windows\system32\mfjrafbl.dll
C:\windows\system32\mfjrafbl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Has been deleted!

Attempting to delete C:\windows\system32\puaaqsvt.dll
C:\windows\system32\puaaqsvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rclabyyw.dll
C:\WINDOWS\system32\rclabyyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvselpeu.dll
C:\WINDOWS\system32\rvselpeu.dll Has been deleted!

Attempting to delete C:\windows\system32\ryjrdhsb.dll
C:\windows\system32\ryjrdhsb.dll Has been deleted!

Attempting to delete C:\windows\system32\umhijpre.dll
C:\windows\system32\umhijpre.dll Has been deleted!

Attempting to delete C:\windows\system32\xjwhvdte.dll
C:\windows\system32\xjwhvdte.dll Has been deleted!

Attempting to delete C:\windows\system32\ykmlaxge.dll
C:\windows\system32\ykmlaxge.dll Has been deleted!

Performing Repairs to the registry.
Done!

- - - - -

Combofix log:

ComboFix 07-06-13.7
"Mike" - 2007-06-14 15:20:26 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cjbwgffw.dll
C:\WINDOWS\system32\menuwocw.dll
C:\WINDOWS\system32\mlddubks.dll
C:\WINDOWS\system32\rlrdkdnk.dll
C:\WINDOWS\system32\vrjrotkv.dll
C:\WINDOWS\system32\xgmgkldb.dll
C:\WINDOWS\system32\wcowunem.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Mike\APPLIC~1\Dxccwrd.dll
C:\DOCUME~1\Mike\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\Mike\APPLIC~1\Dxcuknwrd.dll
C:\Program Files\Common Files\{38A71~1
C:\Program Files\Common Files\{38A71~1\UnInstall.exe
C:\Program Files\Common Files\{68A71~1
C:\Program Files\Online Services\qujaxinig.dll
C:\Temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\RunOnce2.t__
C:\WINDOWS\system32\RunOnce2.tm_
C:\WINDOWS\winhp32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\Client IP-IPX


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-14 15:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 15:07 <DIR> d-------- C:\VundoFix Backups
2007-06-06 11:30 55,316 --a------ C:\WINDOWS\system32\qfbbogaf.dll
2007-05-31 09:44 <DIR> d-------- C:\Program Files\Doomsday
2007-05-30 10:16 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\ourTunes
2007-05-25 13:32 <DIR> d-------- C:\Program Files\EndTask
2007-05-16 16:19 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\U3


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 22:23:11 -------- d-----w C:\Program Files\Online Services
2007-06-14 03:41:24 4,876 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-06-08 18:05:22 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\.gaim
2007-06-06 01:11:03 -------- d-----w C:\Program Files\DYMO Label
2007-05-31 00:08:45 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\XnView
2007-05-24 17:42:36 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 17:15:39 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-05-12 17:15:39 0 ----a-w C:\WINDOWS\system32\SBFC.dat
2007-05-11 01:02:19 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2007-05-10 21:22:00 -------- d-----w C:\Program Files\Sunbelt Software
2007-05-04 18:48:17 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 20:45:56 -------- d-----w C:\Program Files\Windows NT
2007-04-21 20:45:56 -------- d-----w C:\Program Files\epson
2007-04-19 23:07:59 -------- d-----w C:\Program Files\iTunes
2007-04-18 22:44:52 -------- d-----w C:\Program Files\Soulseek
2007-04-18 21:07:03 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 16:48:45 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 00:05:40 -------- d-----w C:\DOCUME~1\Mike\APPLIC~1\Lavasoft
2007-04-17 00:03:07 4,636 ----a-w C:\WINDOWS\system32\tmp.reg
2007-04-16 22:09:18 32,768 ----a-w C:\WINDOWS\system32\svchtoost.exe
2007-04-16 20:00:18 -------- d-----w C:\Program Files\Lavasoft
2007-04-16 19:59:17 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 19:04:40 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-16 19:01:06 28,416 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-04-16 19:01:06 13,568 ----a-w C:\WINDOWS\vxddsk.exe
2007-04-16 19:01:05 22,784 ----a-w C:\WINDOWS\wml.exe
2007-04-16 19:01:05 21,248 ----a-w C:\WINDOWS\system32\wml.exe
2007-04-16 19:01:04 23,296 ----a-w C:\WINDOWS\satmat.exe
2007-04-16 19:00:54 29,952 ----a-w C:\WINDOWS\7search.dll
2007-04-16 19:00:54 14,848 ----a-w C:\WINDOWS\flt.dll
2007-04-16 19:00:52 26,368 ----a-w C:\WINDOWS\pbar.dll
2007-04-16 19:00:50 30,208 ----a-w C:\WINDOWS\voiceip.dll
2007-04-16 19:00:50 16,128 ----a-w C:\WINDOWS\stcloader.exe
2007-04-16 19:00:49 21,504 ----a-w C:\WINDOWS\swin32.dll
2007-04-16 19:00:48 25,344 ----a-w C:\WINDOWS\cdsm32.dll
2007-04-16 19:00:48 13,824 ----a-w C:\WINDOWS\bokja.exe
2007-04-16 19:00:45 26,624 ----a-w C:\WINDOWS\mspphe.dll
2007-04-16 19:00:45 11,520 ----a-w C:\WINDOWS\bjam.dll
2007-04-16 19:00:40 30,464 ----a-w C:\WINDOWS\system32\WER8274.DLL
2007-04-16 19:00:40 12,544 ----a-w C:\WINDOWS\system32\MSIXU.DLL
2007-04-16 19:00:38 25,856 ----a-w C:\WINDOWS\updatetc.exe
2007-04-16 19:00:38 16,640 ----a-w C:\WINDOWS\180ax.exe
2007-04-16 19:00:38 14,848 ----a-w C:\WINDOWS\salm.exe
2007-04-16 19:00:36 15,360 ----a-w C:\WINDOWS\saiemod.dll
2007-04-16 18:58:20 12 ----a-w C:\WINDOWS\system32\gtv_sd.bin
2007-04-11 01:04:48 71,168 ----a-w C:\WINDOWS\iebrowser.dll
2007-04-11 01:04:48 68,096 ----a-w C:\WINDOWS\dxdiag.dll
2007-04-06 23:35:00 71,168 ----a-w C:\WINDOWS\iexplorer.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 21:27:22 69,417 ----a-w C:\WINDOWS\hpoins05.dat
2006-05-28 19:47:11 56 --sh--r C:\WINDOWS\system32\3F5667FF49.sys
2006-05-13 03:32:00 56 --sh--r C:\WINDOWS\system32\4A50D09A3A.sys
2006-07-26 23:30:47 6,060 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 12:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 03:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{C451C08A-EC37-45DF-AAAD-18B51AB5E837}=C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll [2006-10-13 14:54]
{D5243A6C-CA1C-4213-848E-4E8409FF3537}=C:\WINDOWS\system32\pmkhf.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 21:19 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 12:29]
"Firefox"="C:\Program Files\Mozilla Firefox\firefox.exe" [2007-06-01 09:57]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EndTask Pro"="C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe" [2006-07-08 04:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaim]
C:\Program Files\Gaim\gaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ehTray"=C:\WINDOWS\ehome\ehtray.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - NTPROCDRV

Contents of the 'Scheduled Tasks' folder
2007-03-22 19:07:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-04 17:30:03 C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 15:25:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SBAPIFS]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\sbapifs.sys"

Completion time: 2007-06-14 15:28:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 15:27

--- E O F ---

- - - - -

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:48 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mike\Desktop\HJT\analyze.exe

O2 - BHO: (no name) - {D5243A6C-CA1C-4213-848E-4E8409FF3537} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [EndTask Pro] C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - SOFTWARE - (no file) (HKCU)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



- - - - -

Thanks again!

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 14 June 2007 - 06:45 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\qfbbogaf.dll
C:\WINDOWS\system32\svchtoost.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\updatetc.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\gtv_sd.bin

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {D5243A6C-CA1C-4213-848E-4E8409FF3537} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O9 - Extra button: (no name) - SOFTWARE - (no file) (HKCU)


*****************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

*****************************

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Post the Avenger output.txt,and a new Hijackthis log into your next reply.
Let me know how your pc is running now .

Posted Image
Posted Image

#5 picturesofme

picturesofme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 14 June 2007 - 08:36 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gfxxbdpx

*******************

Script file located at: \??\C:\WINDOWS\system32\elfdkndq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\qfbbogaf.dll deleted successfully.
File C:\WINDOWS\system32\svchtoost.exe deleted successfully.
File C:\WINDOWS\system32\vxddsk.exe deleted successfully.
File C:\WINDOWS\vxddsk.exe deleted successfully.
File C:\WINDOWS\wml.exe deleted successfully.
File C:\WINDOWS\system32\wml.exe deleted successfully.
File C:\WINDOWS\satmat.exe deleted successfully.
File C:\WINDOWS\7search.dll deleted successfully.
File C:\WINDOWS\flt.dll deleted successfully.
File C:\WINDOWS\pbar.dll deleted successfully.
File C:\WINDOWS\voiceip.dll deleted successfully.
File C:\WINDOWS\stcloader.exe deleted successfully.
File C:\WINDOWS\swin32.dll deleted successfully.
File C:\WINDOWS\cdsm32.dll deleted successfully.
File C:\WINDOWS\bokja.exe deleted successfully.
File C:\WINDOWS\mspphe.dll deleted successfully.
File C:\WINDOWS\bjam.dll deleted successfully.
File C:\WINDOWS\system32\WER8274.DLL deleted successfully.
File C:\WINDOWS\system32\MSIXU.DLL deleted successfully.
File C:\WINDOWS\updatetc.exe deleted successfully.
File C:\WINDOWS\180ax.exe deleted successfully.
File C:\WINDOWS\salm.exe deleted successfully.
File C:\WINDOWS\saiemod.dll deleted successfully.
File C:\WINDOWS\system32\gtv_sd.bin deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


- - - - -

Logfile of HijackThis v1.99.1
Scan saved at 6:31:02 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Mike\Desktop\HJT\analyze.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [EndTask Pro] C:\Program Files\EndTask\EndTask Pro\EndTaskPro.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



Looking good! Thanks SO much. I really appreciate it.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 15 June 2007 - 01:58 AM

Your log is clean,according to your Hijackthis log you haven't any programs running at startup,also there's no services showing.
Why is your log looking so sparsely populated.
Posted Image
Posted Image

#7 picturesofme

picturesofme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 June 2007 - 12:00 PM

Your log is clean,according to your Hijackthis log you haven't any programs running at startup,also there's no services showing.
Why is your log looking so sparsely populated.


I've removed the items I know to be safe from the list so that I can see anomalies more easily.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 15 June 2007 - 04:38 PM

If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix
Avenger

C:\VundoFix Backups
C:\Avenger
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users