Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud?!?


  • Please log in to reply
10 replies to this topic

#1 Engine34

Engine34

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 26 June 2007 - 08:38 PM

Hello I have had pop-ups since my brother has been messing with my PC. Read and followed instructions on this site on the steps to take (adaware, Spybot, Housecall, Mcafee stinger, etc) before resorting to HJT posts with no luck so far. Any help would be much appreciated...

Logfile of HijackThis v1.99.1
Scan saved at 4:47:21 PM, on 6/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 27 June 2007 - 10:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Engine34 :thumbsup:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*****************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


*****************

Now go to:
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply.
Posted Image
Posted Image

#3 Engine34

Engine34
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 05 July 2007 - 06:21 PM

I apologize for the wait and thankyou for your help and patience. Here is the logs from Vundo, Combo and "abc.bat"


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 8:43:21 PM 7/4/2007

Listing files found while scanning....

C:\WINNT\system32\aybeg.bak1
C:\WINNT\system32\aybeg.bak2
C:\WINNT\system32\aybeg.ini
C:\WINNT\system32\erxvhbsa.dll
C:\WINNT\system32\gebya.dll
C:\WINNT\system32\nikuudst.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\aybeg.bak1
C:\WINNT\system32\aybeg.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\aybeg.bak2
C:\WINNT\system32\aybeg.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\aybeg.ini
C:\WINNT\system32\aybeg.ini Has been deleted!

Attempting to delete C:\WINNT\system32\gebya.dll
C:\WINNT\system32\gebya.dll Has been deleted!

Attempting to delete C:\WINNT\system32\nikuudst.dll
C:\WINNT\system32\nikuudst.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:59:29 PM 7/5/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


----------------------------------------------------------------------------------------------------------------------------------


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 8:43:21 PM 7/4/2007

Listing files found while scanning....

C:\WINNT\system32\aybeg.bak1
C:\WINNT\system32\aybeg.bak2
C:\WINNT\system32\aybeg.ini
C:\WINNT\system32\erxvhbsa.dll
C:\WINNT\system32\gebya.dll
C:\WINNT\system32\nikuudst.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\aybeg.bak1
C:\WINNT\system32\aybeg.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\aybeg.bak2
C:\WINNT\system32\aybeg.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\aybeg.ini
C:\WINNT\system32\aybeg.ini Has been deleted!

Attempting to delete C:\WINNT\system32\gebya.dll
C:\WINNT\system32\gebya.dll Has been deleted!

Attempting to delete C:\WINNT\system32\nikuudst.dll
C:\WINNT\system32\nikuudst.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:59:29 PM 7/5/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

===========================================================================

Logfile of HijackThis v1.99.1
Scan saved at 7:16:37 PM, on 7/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2822F19C-C711-4A5C-938B-E08F4B373249} - (no file)
O2 - BHO: (no name) - {28323C43-A07A-4E13-A390-FC2CBEB9DCA2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5d794b6f-8624-4b72-a08f-882445f234f8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A9C6A96-AAB3-49F8-8778-22C87A1F6589} - C:\WINNT\system32\gebya.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: ddcaywt - ddcaywt.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 06 July 2007 - 02:36 AM

Post the entire contents of C:\ComboFix.txt into your next reply.

If you experienced problems with Combofix,do the following instead:
Download Deckard's System Scanner (DSS) and save it to your Desktop.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 Engine34

Engine34
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 07 July 2007 - 03:10 PM

Is this everything?


"Administrator" - 07/05/2007 19:01:36 - ComboFix 07-07-06 - Service Pack 4


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\msadehul.dll
C:\WINNT\system32\ndhyfnce.dll
C:\WINNT\system32\luhedasm.ini
C:\WINNT\system32\ecnfyhdn.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\267BSWVU\www.broadcaster.com
C:\DOCUME~1\ADMINI~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Windows Media Player\wuoqylihd.html
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINNT\cs_cache.ini
C:\WINNT\system32\_000311_.tmp.dll
C:\WINNT\system32\_000312_.tmp.dll
C:\WINNT\system32\_000315_.tmp.dll
C:\WINNT\system32\_000318_.tmp.dll
C:\WINNT\system32\_000321_.tmp.dll
C:\WINNT\system32\_000322_.tmp.dll
C:\WINNT\system32\_000323_.tmp.dll
C:\WINNT\system32\_000324_.tmp.dll
C:\WINNT\system32\_000325_.tmp.dll
C:\WINNT\system32\_000327_.tmp.dll
C:\WINNT\system32\_000329_.tmp.dll
C:\WINNT\system32\_000330_.tmp.dll
C:\WINNT\system32\_000331_.tmp.dll
C:\WINNT\system32\_000332_.tmp.dll
C:\WINNT\system32\_000333_.tmp.dll
C:\WINNT\system32\_000334_.tmp.dll
C:\WINNT\system32\_000335_.tmp.dll
C:\WINNT\system32\_000336_.tmp.dll
C:\WINNT\system32\_000337_.tmp.dll
C:\WINNT\system32\_000338_.tmp.dll
C:\WINNT\system32\_000340_.tmp.dll
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\o02PrEz
C:\WINNT\system32\win


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-05 19:00 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-04 20:43 <DIR> d-------- C:\VundoFix Backups
2007-07-04 16:49 4,672 --a------ C:\WINNT\system32\tyhpnkso.exe
2007-07-03 16:24 4,672 --a------ C:\WINNT\system32\ltdtyidc.exe
2007-07-03 16:15 4,672 --a------ C:\WINNT\system32\hbyvkafo.exe
2007-06-28 20:17 4,672 --a------ C:\WINNT\system32\cgxgxapm.exe
2007-06-27 19:11 4,672 --a------ C:\WINNT\system32\slnrdvjv.exe
2007-06-26 17:50 4,672 --a------ C:\WINNT\system32\naaeqquj.exe
2007-06-25 19:33 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-06-25 18:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-25 17:50 4,672 --a------ C:\WINNT\system32\acnnfxvj.exe
2007-06-24 14:48 4,672 --a------ C:\WINNT\system32\yalyxqkm.exe
2007-06-22 15:08 512 --a------ C:\ScanSectorLog.dat
2007-06-22 14:35 406,304 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2007-06-22 14:35 4,053,536 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2007-06-22 14:22 75,512 --a------ C:\WINNT\zllsputility.exe
2007-06-22 14:22 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-06-22 14:21 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-06-22 14:21 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-06-22 14:21 <DIR> d-a------ C:\WINNT\Internet Logs
2007-06-22 12:24 <DIR> d-------- C:\WINNT\system32\F5
2007-06-22 12:24 <DIR> d-------- C:\WINNT\system32\F4
2007-06-22 12:24 <DIR> d-------- C:\WINNT\system32\F3
2007-06-22 12:24 <DIR> d-------- C:\WINNT\system32\F2
2007-06-22 12:24 <DIR> d-------- C:\WINNT\system32\F1
2007-06-07 12:14 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 00:12:19 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_584.dat
2007-06-22 18:07:21 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-13 21:43:17 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 03:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
04-09-29 13:02 292947 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
03-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2822F19C-C711-4A5C-938B-E08F4B373249}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28323C43-A07A-4E13-A390-FC2CBEB9DCA2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
04-05-12 02:03 744960 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d794b6f-8624-4b72-a08f-882445f234f8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
07-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A9C6A96-AAB3-49F8-8778-22C87A1F6589}]
C:\WINNT\system32\gebya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"iRiver Updater"="\Updater.exe" [04-07-01 16:20 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05-10-18 11:58 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-11-24 11:44 ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [03-10-31 19:42 ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05-02-22 21:05 ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [05-08-12 13:43 ]
"RFX_auto_upgrade"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [06-02-19 02:41 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\wuoqylihd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaywt]
ddcaywt.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 19:10:54
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_38c.dat
C:\WINNT\system32\Perflib_Perfdata_584.dat
C:\WINNT\system32\Perflib_Perfdata_674.dat

scan completed successfully
hidden files: 3

**************************************************************************

Completion time: 2007-07-05 19:14:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-05 19:14

--- E O F ---





03-05-01 18:39	   58128	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000332_.tmp.dll.vir
03-06-19 14:05	   197392	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000330_.tmp.dll.vir
03-06-19 14:05	   259344	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000321_.tmp.dll.vir
03-06-19 14:05	   35088	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000318_.tmp.dll.vir
03-06-19 14:05	   45328	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000337_.tmp.dll.vir
03-06-19 14:05	   529168	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000331_.tmp.dll.vir
03-06-19 14:05	   81680	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000336_.tmp.dll.vir
03-06-19 14:05	   83728	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000338_.tmp.dll.vir
03-06-19 14:05	   89360	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000335_.tmp.dll.vir
03-10-02 15:17	   34064	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000324_.tmp.dll.vir
03-10-02 16:53	   96528	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000340_.tmp.dll.vir
04-02-25 18:59	   33552	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000322_.tmp.dll.vir
04-03-10 21:37	   123152	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000325_.tmp.dll.vir
04-03-23 21:17	   388368	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000315_.tmp.dll.vir
04-03-23 21:17	   388368	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000334_.tmp.dll.vir
04-03-23 21:17	   497936	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000312_.tmp.dll.vir
04-03-23 21:17	   49936	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000333_.tmp.dll.vir
04-03-23 21:17	   53520	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000323_.tmp.dll.vir
04-06-17 18:05	   712464	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000311_.tmp.dll.vir
04-09-02 15:03	   35088	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000327_.tmp.dll.vir
05-01-13 20:27	   36624	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\_000329_.tmp.dll.vir
07-01-12 15:00	   18031	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
07-03-06 10:59	   34494	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
07-04-24 11:21	   9248	--a------	C:\Qoobox\Quarantine\C\Temp\0b9\tmpTF.log.vir
07-06-12 09:08	   88064	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OuterinfoUpdate.exe.vir
07-06-12 09:09	   172032	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Outerinfo.dll.vir
07-06-12 09:11	   141064	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
07-06-12 09:11	   593920	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Outerinfo.exe.vir
07-06-19 05:38	   143	--a------	C:\Qoobox\Quarantine\C\Program Files\Windows Media Player\wuoqylihd.html.vir
07-06-22 12:24	   164787	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\drivers\core.cache.dsk.vir
07-06-22 12:24	   72832	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\drivers\core.sys.vir
07-06-22 12:27	   66824	--a------	C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OinUninstall.exe.vir
07-06-22 12:27	   930	--a------	C:\Qoobox\Quarantine\C\Temp\iee\tmpZTF.log.vir
07-06-22 13:14	   8424	--a------	C:\Qoobox\Quarantine\C\WINNT\cs_cache.ini.vir
07-06-26 17:53	   128576	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\msadehul.dll.vir
07-06-26 17:53	   345	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\luhedasm.ini.vir
07-06-27 19:20	   128576	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\ndhyfnce.dll.vir
07-06-27 19:20	   345	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\ecnfyhdn.ini.vir
07-07-05 19:04	   1120	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
07-07-05 19:04	   2608	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Net Agent.reg.cf
07-07-05 19:04	   814	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NET_AGENT.reg.cf
07-07-05 19:04	   950	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
07-07-05 19:04	   994	--a------	C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
07-07-05 19:05	   307	--a------	C:\Qoobox\Quarantine\catchme.log
07-07-05 19:05	   54674	--a------	C:\Qoobox\Quarantine\catchme2007-07-05_191051.23.zip


Folder PATH listing
Volume serial number is 0006FE80 149A:387D
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-07-05_191051.23.zip
	|   
	+---C
	|   +---DOCUME~1
	|   |   \---ADMINI~1
	|   |	   \---APPLIC~1
	|   |		   \---Macromedia
	|   |			   \---Flash Player
	|   |				   \---macromedia.com
	|   |					   \---support
	|   |						   \---flashplayer
	|   |							   \---sys
	|   |								   \---#www.broadcaster.com
	|   +---Program Files
	|   |   +---Outerinfo
	|   |   |	   OinUninstall.exe.vir
	|   |   |	   OiUninstaller.exe.vir
	|   |   |	   Outerinfo.dll.vir
	|   |   |	   Outerinfo.exe.vir
	|   |   |	   outerinfo.ico.vir
	|   |   |	   OuterinfoUpdate.exe.vir
	|   |   |	   Terms.rtf.vir
	|   |   |	   
	|   |   +---Windows Media Player
	|   |   |	   wuoqylihd.html.vir
	|   |   |	   
	|   |   \---WinPop
	|   +---Temp
	|   |   +---0b9
	|   |   |	   tmpTF.log.vir
	|   |   |	   
	|   |   \---iee
	|   |		   tmpZTF.log.vir
	|   |		   
	|   \---WINNT
	|	   |   cs_cache.ini.vir
	|	   |   
	|	   \---system32
	|		   |   ecnfyhdn.ini.vir
	|		   |   luhedasm.ini.vir
	|		   |   msadehul.dll.vir
	|		   |   ndhyfnce.dll.vir
	|		   |   _000311_.tmp.dll.vir
	|		   |   _000312_.tmp.dll.vir
	|		   |   _000315_.tmp.dll.vir
	|		   |   _000318_.tmp.dll.vir
	|		   |   _000321_.tmp.dll.vir
	|		   |   _000322_.tmp.dll.vir
	|		   |   _000323_.tmp.dll.vir
	|		   |   _000324_.tmp.dll.vir
	|		   |   _000325_.tmp.dll.vir
	|		   |   _000327_.tmp.dll.vir
	|		   |   _000329_.tmp.dll.vir
	|		   |   _000330_.tmp.dll.vir
	|		   |   _000331_.tmp.dll.vir
	|		   |   _000332_.tmp.dll.vir
	|		   |   _000333_.tmp.dll.vir
	|		   |   _000334_.tmp.dll.vir
	|		   |   _000335_.tmp.dll.vir
	|		   |   _000336_.tmp.dll.vir
	|		   |   _000337_.tmp.dll.vir
	|		   |   _000338_.tmp.dll.vir
	|		   |   _000340_.tmp.dll.vir
	|		   |   
	|		   \---drivers
	|				   core.cache.dsk.vir
	|				   core.sys.vir
	|				   
	\---Registry_backups
			LEGACY_CORE.reg.cf
			LEGACY_NET_AGENT.reg.cf
			LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
			services_core.reg.cf
			services_Net Agent.reg.cf


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 07 July 2007 - 03:42 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINNT\system32\tyhpnkso.exe
C:\WINNT\system32\ltdtyidc.exe
C:\WINNT\system32\hbyvkafo.exe
C:\WINNT\system32\cgxgxapm.exe
C:\WINNT\system32\slnrdvjv.exe
C:\WINNT\system32\naaeqquj.exe
C:\WINNT\system32\acnnfxvj.exe
C:\WINNT\system32\yalyxqkm.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 Engine34

Engine34
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 08 July 2007 - 07:44 AM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lcjfdhuw

*******************

Script file located at: \??\C:\Program Files\pnuxqphe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\tyhpnkso.exe deleted successfully.
File C:\WINNT\system32\ltdtyidc.exe deleted successfully.
File C:\WINNT\system32\hbyvkafo.exe deleted successfully.
File C:\WINNT\system32\cgxgxapm.exe deleted successfully.
File C:\WINNT\system32\slnrdvjv.exe deleted successfully.
File C:\WINNT\system32\naaeqquj.exe deleted successfully.
File C:\WINNT\system32\acnnfxvj.exe deleted successfully.
File C:\WINNT\system32\yalyxqkm.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 8:42:45 AM, on 7/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Documents and Settings\Administrator\Desktop\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2822F19C-C711-4A5C-938B-E08F4B373249} - (no file)
O2 - BHO: (no name) - {28323C43-A07A-4E13-A390-FC2CBEB9DCA2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5d794b6f-8624-4b72-a08f-882445f234f8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A9C6A96-AAB3-49F8-8778-22C87A1F6589} - C:\WINNT\system32\gebya.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: ddcaywt - ddcaywt.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 July 2007 - 08:01 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {2822F19C-C711-4A5C-938B-E08F4B373249} - (no file)
O2 - BHO: (no name) - {28323C43-A07A-4E13-A390-FC2CBEB9DCA2} - (no file)
O2 - BHO: (no name) - {5d794b6f-8624-4b72-a08f-882445f234f8} - (no file)
O2 - BHO: (no name) - {7A9C6A96-AAB3-49F8-8778-22C87A1F6589} - C:\WINNT\system32\gebya.dll (file missing)
O20 - Winlogon Notify: ddcaywt - ddcaywt.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 Engine34

Engine34
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 July 2007 - 10:56 AM

Running much better so far




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/09/2007 at 06:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3266
Trace Rules Database Version: 1277

Scan type : Complete Scan
Total Scan Time : 00:44:59

Memory items scanned : 522
Memory threats detected : 0
Registry items scanned : 4615
Registry threats detected : 4
File items scanned : 23784
File threats detected : 4

Adware.ClickSpring/Outer Info Network
HKLM\Software\Outerinfo
HKLM\Software\Outerinfo#InstallDirectory
HKLM\Software\Outerinfo#REFID
HKLM\Software\Outerinfo#PID
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Outerinfo

Trojan.Downloader-ClickSpring/NDrv
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\OUTERINFO\OUTERINFO.DLL.VIR



Logfile of HijackThis v1.99.1
Scan saved at 11:51:22 AM, on 7/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 10 July 2007 - 01:06 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix.exe
Avenger

C:\VundoFix Backups
C:\Avenger
C:\QOOBOX
----------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-----------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

-----------------------------------

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 Engine34

Engine34
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 20 July 2007 - 04:55 PM

I went away for a bit and came back to the PC running well for like three days and now am starting to get the pop-ups again. I'm starting to think i should just dithch the PC since it is prob time for a new one anyway...

Logfile of HijackThis v1.99.1
Scan saved at 5:54:24 PM, on 7/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\SSTEM~1\mshta.exe
C:\Documents and Settings\Administrator\My Documents\??mantec\?vchost.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HJT\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17311283-DD3A-FDEF-1C66-8C8DBA22D4CA} - C:\WINNT\system32\tkl.dll
O2 - BHO: (no name) - {2AE5CD68-716E-4C9A-BA0C-EA417A74E040} - C:\WINNT\system32\vtstr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\ljjjjjk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E24628169553B686D27652779E3F546CAC59B6
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Lawd] "C:\PROGRA~1\COMMON~1\SSTEM~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Dcq] "C:\Program Files\s?stem\l?gonui.exe"
O4 - HKCU\..\Run: [Hjzcpx] "C:\Documents and Settings\Administrator\My Documents\??mantec\?vchost.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljjjjjk - C:\WINNT\SYSTEM32\ljjjjjk.dll
O20 - Winlogon Notify: pmnno - C:\WINNT\system32\pmnno.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINNT\system32\vtstr.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users