|
|
|
Computer infection - hijackthis log posted
|
|
|
catdrugn
Junior Member
|
8. April 2008 @ 16:31 |
Link to this message
|
I work for a non-profit agency w/no IT Dept so any help is greatly appreciated. Computer has a few bugs: Desktop has been replaced by a notice saying that the computer is "infected". Plus I'm getting the "you're infected" pop-ups, etc.
I've run Spy-bot several times and it got rid of some stuff but some items continue to return.
Here's the log from Hijackthis - would someone be kind enough to let me know how to proceed?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:49 PM, on 4/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA5754] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8304] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 7611 bytes
|
|
Advertisement
|
|
|
|
|
catdrugn
Junior Member
|
9. April 2008 @ 23:56 |
Link to this message
|
|
Any help, please?
|
Member
|
10. April 2008 @ 08:33 |
Link to this message
|
|
Hey catdrugn,
Please be patient while I review your log, and please do NOT download or fix anything until I give you instructions to. Thanks for your patience. :)
~Ltangel~
Windows and system security is my priority.
|
Member
|
10. April 2008 @ 08:55 |
Link to this message
|
Hey catdrugn,
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[*]Please, never rename Combofix unless instructed.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Go!
~Ltangel~
Windows and system security is my priority.
|
|
catdrugn
Junior Member
|
11. April 2008 @ 13:25 |
Link to this message
|
|
Thanks ltangel, I'll get to work on this as soon as I get off shift!
|
|
catdrugn
Junior Member
|
15. April 2008 @ 23:56 |
Link to this message
|
Ltangel, thanks for your instructions and your patience.
Combo log and hijack log are as follows:
ComboFix 08-04-15.1 - Administrator 2008-04-15 20:29:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\4.tmp
C:\A.tmp
C:\D.tmp
C:\Documents and Settings\Administrator\Application Data\WinIFixer.com
C:\Documents and Settings\valor\Application Data\YSTEM~1
C:\Program Files\AntiVirusPro
C:\Program Files\Outlook Express\pywefene89104.dll
C:\Program Files\wnsxs~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM5ff71d4c.xml
C:\WINDOWS\braviax.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cru629.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\000090.exe
C:\WINDOWS\SYSTEM32\48833.exe
C:\WINDOWS\SYSTEM32\almjwgpi.ini
C:\WINDOWS\system32\awttrrr.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\bxsosaqj.dll
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\d4
C:\WINDOWS\system32\d4\thudll5502.exe
C:\WINDOWS\system32\dfmtecst.dll
C:\WINDOWS\system32\drivers\Eim61.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\USB80233.sys
C:\WINDOWS\system32\drivers\VGY41.sys
C:\WINDOWS\system32\e5
C:\WINDOWS\system32\fccaxwx.dll
C:\WINDOWS\system32\ffynhckl.dll
C:\WINDOWS\system32\fotxkxyp.dll
C:\WINDOWS\system32\g7
C:\WINDOWS\system32\g7\nopz89104.exe
C:\WINDOWS\system32\hanhgqxk.dll
C:\WINDOWS\system32\hwtbafpe.dll
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ihpvnqgn.dll
C:\WINDOWS\system32\ipgwjmla.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\SYSTEM32\iunfprlr.ini
C:\WINDOWS\system32\jpsdasir.dll
C:\WINDOWS\SYSTEM32\jqasosxb.ini
C:\WINDOWS\system32\judyhlsn.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nohwuljr.dll
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmmmn.dll
C:\WINDOWS\SYSTEM32\pqtss.ini
C:\WINDOWS\SYSTEM32\pqtss.ini2
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\rlrpfnui.dll
C:\WINDOWS\system32\rqrspmk.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\SYSTEM32\tscetmfd.ini
C:\WINDOWS\system32\urqrpnm.dll
C:\WINDOWS\system32\users32.da_
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\vhaeqqcc.dll
C:\WINDOWS\system32\w8
C:\WINDOWS\system32\w8\jecolb14.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xxyayyy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_DHLP
-------\Legacy_EIM61
-------\Legacy_LANMANDRV
-------\Legacy_NETWORK_MONITOR
-------\Legacy_USB80233
-------\Legacy_VGY41
-------\Service_Eim61
-------\Service_lanmandrv
-------\Service_USB80233
-------\Service_Vgy41
-------\Service_VGY41
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\20.tmp
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\1F.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\25.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\24.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\23.tmp
2008-04-15 20:21 . 2008-04-15 20:21 0 --a------ C:\22.tmp
2008-04-10 23:19 . 2008-04-10 23:19 167,545 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-08 14:23 . 2008-04-08 14:24 48,640 --a------ C:\21.tmp
2008-04-08 14:23 . 2008-04-08 14:23 47,104 --a------ C:\13.tmp
2008-04-08 14:23 . 2008-04-08 14:23 2 --a------ C:\1E.tmp
2008-04-08 14:23 . 2008-04-08 14:23 0 --a------ C:\14.tmp
2008-04-08 13:56 . 2008-04-08 15:32 2,932 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-08 13:53 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-08 13:53 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-08 13:53 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-08 13:53 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-08 13:53 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-08 13:53 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-08 13:53 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 12:05 . 2008-04-08 12:05 0 --a------ C:\1D.tmp
2008-04-08 12:04 . 2008-04-08 12:04 2 --a------ C:\12.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\E.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\1C.tmp
2008-04-08 12:04 . 2008-04-08 12:04 0 --a------ C:\1B.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\F.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\11.tmp
2008-04-08 11:22 . 2008-04-08 11:22 0 --a------ C:\10.tmp
2008-04-08 11:21 . 2008-04-08 11:21 2 --a------ C:\C.tmp
2008-04-08 11:21 . 2008-04-08 11:21 0 --a------ C:\B.tmp
2008-04-08 10:36 . 2008-04-08 10:36 0 --a------ C:\9.tmp
2008-04-08 10:36 . 2008-04-08 10:36 0 --a------ C:\8.tmp
2008-04-08 10:35 . 2008-04-08 10:35 2 --a------ C:\6.tmp
2008-04-08 10:35 . 2008-04-08 10:35 0 --a------ C:\7.tmp
2008-04-08 10:35 . 2008-04-08 10:35 0 --a------ C:\5.tmp
2008-04-08 10:30 . 2008-04-08 15:04 481 --a------ C:\WINDOWS\wininit.ini
2008-04-08 10:00 . 2008-04-08 10:00 3,648 --a------ C:\WINDOWS\SYSTEM32\mbreseti.dll
2008-04-08 09:49 . 2008-04-08 09:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 09:49 . 2008-04-08 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 09:46 . 2008-04-08 09:46 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-04-08 09:46 . 2008-04-08 09:46 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-04-08 09:46 . 2008-04-08 09:46 40,960 --a------ C:\WINDOWS\SYSTEM32\zentray.exe
2008-04-08 09:46 . 2008-04-08 09:46 28,672 --a------ C:\WINDOWS\SYSTEM32\dpmw32.exe
2008-04-08 09:45 . 2008-04-08 09:45 0 --a------ C:\1A.tmp
2008-04-08 09:44 . 2008-04-08 09:44 0 --a------ C:\19.tmp
2008-04-08 09:44 . 2008-04-08 09:44 0 --a------ C:\18.tmp
2008-04-08 09:43 . 2008-04-08 09:44 47,104 --a------ C:\15.tmp
2008-04-08 09:43 . 2008-04-08 09:44 2 --a------ C:\17.tmp
2008-04-08 09:43 . 2008-04-08 09:43 0 --a------ C:\16.tmp
2008-04-08 09:42 . 2008-04-08 09:42 269,334 --a------ C:\WINDOWS\SYSTEM32\cbihknidor.bmp
2008-04-08 09:05 . 2008-04-08 10:06 414 --ahs---- C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
2008-04-08 08:54 . 2008-04-08 08:54 269,334 --a------ C:\WINDOWS\SYSTEM32\ofetsbqdojmtgf.bmp
2008-04-08 08:50 . 2008-04-08 08:50 269,334 --a------ C:\WINDOWS\SYSTEM32\ahobihsjipgf.bmp
2008-03-21 11:38 . 2008-03-21 11:38 269,334 --a------ C:\WINDOWS\SYSTEM32\kbahojmtkbql.bmp
2008-03-21 11:27 . 2008-03-21 11:36 <DIR> d-------- C:\Program Files\Spy-Rid
2008-03-21 11:27 . 2008-03-21 11:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\spy-rid.com
2008-03-21 11:24 . 2008-03-21 11:24 269,334 --a------ C:\WINDOWS\SYSTEM32\nqhsjmhobql.bmp
2008-03-21 04:27 . 2008-03-21 04:27 269,334 --a------ C:\WINDOWS\SYSTEM32\gbitknedkjih.bmp
2008-03-21 03:41 . 2008-03-21 03:41 31,355 ---hs---- C:\WINDOWS\SYSTEM32\DRIVERS\ctfmon.exe
2008-03-21 02:40 . 2008-03-21 02:40 269,334 --a------ C:\WINDOWS\SYSTEM32\ihcbatkbmhon.bmp
2008-03-21 02:35 . 2008-03-21 02:35 269,334 --a------ C:\WINDOWS\SYSTEM32\epsjmlsnml.bmp
2008-03-21 01:34 . 2008-03-21 01:34 269,334 --a------ C:\WINDOWS\SYSTEM32\ihcbalkbmh.bmp
2008-03-21 00:59 . 2008-03-21 00:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-21 00:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-20 07:15 . 2008-03-20 07:15 269,334 --a------ C:\WINDOWS\SYSTEM32\ahonitkfqd.bmp
2008-03-20 06:01 . 2008-03-20 06:01 269,334 --a------ C:\WINDOWS\SYSTEM32\ehkjqhsral.bmp
2008-03-20 02:48 . 2008-03-20 02:48 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-20 02:17 . 2008-03-20 02:17 <DIR> d-------- C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
2008-03-20 02:16 . 2008-03-20 02:25 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-03-19 23:13 . 2008-03-19 23:13 269,334 --a------ C:\WINDOWS\SYSTEM32\kjmhobehsnahcj.bmp
2008-03-19 06:29 . 2008-03-19 06:29 269,334 --a------ C:\WINDOWS\SYSTEM32\fihorqhcbel.bmp
2008-03-19 06:03 . 2008-03-19 06:03 47,104 --a------ C:\bCST.exe
2008-03-19 05:51 . 2008-03-19 05:51 269,334 --a------ C:\WINDOWS\SYSTEM32\mhofml.bmp
2008-03-19 05:49 . 2008-03-19 05:49 59,392 --a------ C:\qcojteuj.exe
2008-03-19 05:49 . 2008-03-19 05:49 58,368 --a------ C:\ihso.exe
2008-03-19 05:49 . 2008-03-19 05:49 14,336 --a------ C:\opgr.exe
2008-03-19 05:49 . 2008-03-19 05:49 13,824 --a------ C:\dgfus.exe
2008-03-19 05:49 . 2008-03-19 05:49 92 --a------ C:\delself.bat
2008-03-19 05:26 . 2008-03-19 05:26 269,334 --a------ C:\WINDOWS\SYSTEM32\gbmlgjelkreh.bmp
2008-03-19 04:22 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-03-19 04:22 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-03-19 04:22 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-03-19 04:22 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-03-19 04:18 . 2008-03-20 03:31 1,533,190 --ahs---- C:\WINDOWS\SYSTEM32\mmfpmjvk.ini
2008-03-19 03:17 . 2004-03-29 18:48 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2008-03-19 03:17 . 2004-03-10 10:59 593,408 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\xpsp2res.dll
2008-03-19 03:17 . 2004-03-29 18:48 548,352 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2008-03-19 03:17 . 2004-03-29 18:48 439,808 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2008-03-19 03:17 . 2004-03-29 18:48 253,440 --a------ C:\WINDOWS\SYSTEM32\h323.tsp
2008-03-19 03:17 . 2004-03-29 18:48 40,960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\evtgprov.dll
2008-03-19 03:17 . 2004-03-29 18:48 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2008-03-19 03:13 . 2005-10-20 15:33 991,232 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-03-19 03:07 . 2008-03-19 03:07 269,334 --a------ C:\WINDOWS\SYSTEM32\itkfqtgrmh.bmp
2008-03-19 01:27 . 2008-03-19 01:27 269,334 --a------ C:\WINDOWS\SYSTEM32\mhcnipknmh.bmp
2008-03-18 23:08 . 2008-03-18 23:08 269,334 --a------ C:\WINDOWS\SYSTEM32\japgn.bmp
2008-03-18 02:10 . 2008-03-18 02:10 269,334 --a------ C:\WINDOWS\SYSTEM32\psfepcbmlkr.bmp
2008-03-18 01:53 . 2008-03-18 04:37 19,968 --a------ C:\DO NOT USE INTERNET UNTIL THE SYSTEM CAN BE CLEANED OF SPYWARE.doc
2008-03-18 01:49 . 2008-03-18 01:49 269,334 --a------ C:\WINDOWS\SYSTEM32\srqdgnepcrihgf.bmp
2008-03-18 01:12 . 2008-03-18 01:12 269,334 --a------ C:\WINDOWS\SYSTEM32\sralsfmlsbqpcr.bmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:07 --------- d-----w C:\Program Files\DivX
2008-04-08 17:35 --------- d-----w C:\Program Files\QuickTime
2008-03-15 17:30 --------- d-----w C:\Documents and Settings\valor\Application Data\TrustedAntivirus
2008-03-15 17:29 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-14 11:53 0 --sha-w C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
2008-03-13 12:17 844 ----a-w C:\Documents and Settings\valor\win.exe
2008-03-09 03:05 --------- d-----w C:\Program Files\Java
2008-02-12 20:46 3,113,024 ----a-w C:\Program Files\ica32t.exe
2007-07-16 17:31 18,164,640 ----a-w C:\Program Files\aaw2007.exe
2006-12-07 16:28 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DD62512-6C11-42C9-9BD8-846B13B3D524}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF421255-5C36-4B91-A162-E19F4813419F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-04-08 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-04-08 09:46 114688]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-08 09:46 135251]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2008-04-08 09:46 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-04-08 09:46 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-04-08 09:46 286720]
"braviax"="braviax.exe" []
"NWTRAY"="NWTRAY.EXE" [2001-12-18 10:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"="command /c del C:\WINDOWS\SYSTEM32\wsnpoem\video.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-05-05 18:34 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrspmk]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 02:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 02:31]
R2 BlankScr;HBDevice;C:\WINDOWS\System32\drivers\BlankScr.sys [2003-03-18 15:26]
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys [2003-03-18 12:16]
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys [2003-03-18 12:16]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 11:40]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 11:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 03:00]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-03-10 16:10]
S3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\System32\drivers\novell\nscmnt.sys [2002-07-12 07:36]
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\System32\drivers\novell\xauthnt.sys [2002-06-17 12:32]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 19:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 20:41:11
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\ntos.exe 516608 bytes executable
C:\WINDOWS\system32\wsnpoem
scan completed successfully
hidden files: 2
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-15 20:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 03:45:31
Pre-Run: 30,814,105,600 bytes free
Post-Run: 30,768,300,032 bytes free
.
2008-03-21 10:10:53 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:01 PM, on 4/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 7507 bytes
I'll leave computer as is and await further instructions - thank you!
|
Member
|
16. April 2008 @ 09:29 |
Link to this message
|
|
Hey,
Thanks for posting the logs requested, it'll take a while for me to look at it. Please be patient and don't download/fix anything meanwhile. If there are any furthur problems arising, please post on here.
~Ltangel~
Windows and system security is my priority.
|
Member
|
16. April 2008 @ 10:18 |
Link to this message
|
Hey catdrugn,
Important!You have a trojan on your computer that can steal your private information such as passwords, account details etc. It is extremely crucial to notify your bank or any other relevant organisations to change your personal details if you have ever entered these information on the computer!
Please read through the entire instructions and make sure you understand them before proceeding to commence.
From your log, you are seriously infected with several malware, but we'll remove all of them. :)
Before we proceed with the fix, please disable all your resident protection on your computer. (In this case, please disable Spybot Teatimer)
1) Scan with SmitfraudFix
Please download SmitfraudFix (by S!Ri) to your Desktop.
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
2) Scan with F-Secure Blacklight
Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
[*]Open a command window by going to Start > Run and typing: cmd
[*]Copy/paste or type the following in the command window: C:\fsbl.exe /expert
[*]Hit "Enter" to start the program and then close the cmd box.
[*]Accept the user agreement and click "Next".
[*]Click "Scan".
[*]After the scan is complete, click "Next", then "Exit".
[*]BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
[*]The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
[*]Exit Blacklight and post the contents of the log in your next reply.
In your next reply (please include):
F-Secure Blacklight scan log
SmitfraudFix report
Go!
~Ltangel~
Windows and system security is my priority.
|
|
catdrugn
Junior Member
|
16. April 2008 @ 11:33 |
Link to this message
|
Ltangel,
F-Secure Blacklight scan log and Smitfraudfix report are as follows:
04/16/08 08:18:58 [Info]: BlackLight Engine 1.0.70 initialized
04/16/08 08:18:58 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/16/08 08:18:58 [Note]: 7019 4
04/16/08 08:18:58 [Note]: 7005 0
04/16/08 08:19:06 [Note]: 7006 0
04/16/08 08:19:06 [Note]: 7022 0
04/16/08 08:19:06 [Note]: 7011 704
04/16/08 08:19:06 [Note]: 7035 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:08 [Note]: FSRAW library version 1.7.1024
04/16/08 08:23:24 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntos.exe
04/16/08 08:23:24 [Note]: 7002 0
04/16/08 08:23:24 [Note]: 7003 1
04/16/08 08:23:24 [Note]: 10002 1
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\00014541.uf
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\audio.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\video.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:28:18 [Note]: 7007 0
SmitFraudFix v2.314
Scan done at 8:13:04.93, Wed 04/16/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Will await further instruction. Thanks!
|
|
gttdi
Member
|
16. April 2008 @ 13:34 |
Link to this message
|
04/16/08 08:18:58 [Info]: BlackLight Engine 1.0.70 initialized
04/16/08 08:18:58 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/16/08 08:18:58 [Note]: 7019 4
04/16/08 08:18:58 [Note]: 7005 0
04/16/08 08:19:06 [Note]: 7006 0
04/16/08 08:19:06 [Note]: 7022 0
04/16/08 08:19:06 [Note]: 7011 704
04/16/08 08:19:06 [Note]: 7035 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:06 [Note]: 7026 0
04/16/08 08:19:08 [Note]: FSRAW library version 1.7.1024
04/16/08 08:23:24 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ntos.exe
04/16/08 08:23:24 [Note]: 7002 0
04/16/08 08:23:24 [Note]: 7003 1
04/16/08 08:23:24 [Note]: 10002 1
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\00014541.uf
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\audio.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:23:28 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\wsnpoem\video.dll
04/16/08 08:23:28 [Note]: 7002 0
04/16/08 08:23:28 [Note]: 7003 1
04/16/08 08:23:28 [Note]: 10002 3
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:25:01 [Note]: 2000 1012
04/16/08 08:28:18 [Note]: 7007 0
SmitFraudFix v2.314
Scan done at 8:13:04.93, Wed 04/16/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
catdrugn
Junior Member
|
16. April 2008 @ 22:19 |
Link to this message
|
|
Hi gttdi - I see you've re-posted my latest logs to Ltangel, but I'm not sure why....? Something I should be doing?
|
Member
|
17. April 2008 @ 08:18 |
Link to this message
|
Hey catdrugn,
Please follow my instructions closely, and ask if you have any doubts.
Ensure that your Spybot teatimer is disabled before fixing.
1) Rename with F-Secure
Now use Blacklight in exactly the same way as before, but when it shows the list of the items found, select each entry (EXCEPT TCPTEST.EXE & WBEMTEST.EXE) and choose to let Blacklite rename them by clicking the Rename button.
[*]Next to each entry, "rename" should appear.
[*]Click "Next".
[*]Blacklight will give you a warning if you are sure. Click "Yes".
[*]Then it will tell you: "Your computer will reboot now"
[*]Click "Yes".
2) Clean with SmitfraudFix
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
3) Uninstall programs
Please go to Add or Remove Programs in Control Panel, and remove the following programs:
Spy-Rid
EasySpywareCleaner
DivX
PartyGaming
Reboot your computer.
4) Fix with ComboFix
1. Please open Notepad
[*] Click Start , then Run
[*]Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the quotebox below into the Notepad window:
Quote:
File::
C:\20.tmp
C:\1F.tmp
C:\25.tmp
C:\24.tmp
C:\23.tmp
C:\22.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\21.tmp
C:\13.tmp
C:\1E.tmp
C:\14.tmp
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\1D.tmp
C:\12.tmp
C:\E.tmp
C:\1C.tmp
C:\1B.tmp
C:\F.tmp
C:\11.tmp
C:\10.tmp
C:\C.tmp
C:\B.tmp
C:\9.tmp
C:\8.tmp
C:\6.tmp
C:\7.tmp
C:\5.tmp
C:\WINDOWS\SYSTEM32\mbreseti.dll
C:\1A.tmp
C:\19.tmp
C:\18.tmp
C:\15.tmp
C:\17.tmp
C:\16.tmp
C:\WINDOWS\SYSTEM32\cbihknidor.bmp
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\WINDOWS\SYSTEM32\ofetsbqdojmtgf.bmp
C:\WINDOWS\SYSTEM32\ahobihsjipgf.bmp
C:\WINDOWS\SYSTEM32\kbahojmtkbql.bmp
C:\WINDOWS\SYSTEM32\nqhsjmhobql.bmp
C:\WINDOWS\SYSTEM32\gbitknedkjih.bmp
C:\WINDOWS\SYSTEM32\DRIVERS\ctfmon.exe
C:\WINDOWS\SYSTEM32\ihcbatkbmhon.bmp
C:\WINDOWS\SYSTEM32\epsjmlsnml.bmp
C:\WINDOWS\SYSTEM32\ihcbalkbmh.bmp
C:\WINDOWS\SYSTEM32\ahonitkfqd.bmp
C:\WINDOWS\SYSTEM32\ehkjqhsral.bmp
C:\WINDOWS\SYSTEM32\kjmhobehsnahcj.bmp
C:\WINDOWS\SYSTEM32\fihorqhcbel.bmp
C:\bCST.exe
C:\WINDOWS\SYSTEM32\mhofml.bmp
C:\qcojteuj.exe
C:\ihso.exe
C:\opgr.exe
C:\dgfus.exe
C:\delself.bat
C:\WINDOWS\SYSTEM32\gbmlgjelkreh.bmp
C:\WINDOWS\SYSTEM32\mmfpmjvk.ini
C:\WINDOWS\SYSTEM32\h323msp.dll
C:\WINDOWS\SYSTEM32\h323.tsp
C:\WINDOWS\SYSTEM32\mf3216.dll
C:\WINDOWS\SYSTEM32\itkfqtgrmh.bmp
C:\WINDOWS\SYSTEM32\mhcnipknmh.bmp
C:\WINDOWS\SYSTEM32\japgn.bmp
C:\WINDOWS\SYSTEM32\psfepcbmlkr.bmp
C:\WINDOWS\SYSTEM32\srqdgnepcrihgf.bmp
C:\WINDOWS\SYSTEM32\sralsfmlsbqpcr.bmp
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\win.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem.sys
Folder::
C:\Program Files\Spy-Rid
C:\Documents and Settings\Administrator\Application Data\spy-rid.com
C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner
C:\Program Files\DivX
C:\Documents and Settings\valor\Application Data\TrustedAntivirus
Driver::
Legacy_CMDSERVICE
Legacy_DHLP
Legacy_EIM61
Legacy_LANMANDRV
Legacy_NETWORK_MONITOR
Legacy_USB80233
Legacy_VGY41
Service_Eim61
Service_lanmandrv
Service_USB80233
Service_Vgy41
Service_VGY41
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DD62512-6C11-42C9-9BD8-846B13B3D524}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF421255-5C36-4B91-A162-E19F4813419F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrspmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.
In your next reply (please include):
Fresh HijackThis log
C:\rapport.txt
C:\ComboFix.txt
Description of how the computer is performing
Go!
~Ltangel~
Windows and system security is my priority.
|
|
catdrugn
Junior Member
|
17. April 2008 @ 17:35 |
Link to this message
|
Hi Ltangel,
Before I post the logs I want to tell you about a few difficulties from the last set of instructions:
1 - Rename with F-Secure: after the scan, F-Secure showed 4 files to rename:
00014541.uf
audio.dll
ntos.exe
video.dll
I followed the renaming instructions and a new window opened that read "...could not clean c:\windows\system32\ntos.exe"
I clicked ok and let the program finish it's thing.
2 - Cleaning with Smithfraudfix: No problems
3 - Uninstall programs: I went to Control Panel then Add/Delete Programs. The programs to be deleted were not included on the list of programs shown. I was not able to complete this step.
4 - Fix with Combofix: I created the notepad file as instructed. When I drug it to the Combofix icon a very small window opened up with a progress bar in it. One the bar filled up (I hope this makes sense)nothing happened. I was expecting Combofix to open and run again but it did not. Consequently, there was not a new Combofix log in my C drive, only the old log from 4/15.
As far a performance, the computer is running quite normal. There are no spyware pop-ups and my desktop is no longer host to a spyware warning.
But here are the other two logs you asked for (new hijack and rapport):
SmitFraudFix v2.314
Scan done at 13:49:01.28, Thu 04/17/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB91A349-31D2-4187-8317-D5017DD0E4A5}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:42 PM, on 4/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 7432 bytes
|
Member
|
18. April 2008 @ 12:31 |
Link to this message
|
Hey catdrugn,
Good to hear that the alerts are gone and that your computer is running better. :) About the problems you faced during the fix, do not worry. I'll find another way around.
1) Move malicious files with OTMoveIt2
Please download the OTMoveIt2 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem.sys
C:\WINDOWS\system32\braviax.exe
[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
2) Fix with ComboFix
Let's try running ComboFix again.
1. Please open Notepad
[*] Click Start , then Run
[*]Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the quotebox below into the Notepad window:
Quote:
File::
C:\20.tmp
C:\1F.tmp
C:\25.tmp
C:\24.tmp
C:\23.tmp
C:\22.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\21.tmp
C:\13.tmp
C:\1E.tmp
C:\14.tmp
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\1D.tmp
C:\12.tmp
C:\E.tmp
C:\1C.tmp
C:\1B.tmp
C:\F.tmp
C:\11.tmp
C:\10.tmp
C:\C.tmp
C:\B.tmp
C:\9.tmp
C:\8.tmp
C:\6.tmp
C:\7.tmp
C:\5.tmp
C:\WINDOWS\SYSTEM32\mbreseti.dll
C:\1A.tmp
C:\19.tmp
C:\18.tmp
C:\15.tmp
C:\17.tmp
C:\16.tmp
C:\WINDOWS\SYSTEM32\cbihknidor.bmp
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\WINDOWS\SYSTEM32\ofetsbqdojmtgf.bmp
C:\WINDOWS\SYSTEM32\ahobihsjipgf.bmp
C:\WINDOWS\SYSTEM32\kbahojmtkbql.bmp
C:\WINDOWS\SYSTEM32\nqhsjmhobql.bmp
C:\WINDOWS\SYSTEM32\gbitknedkjih.bmp
C:\WINDOWS\SYSTEM32\DRIVERS\ctfmon.exe
C:\WINDOWS\SYSTEM32\ihcbatkbmhon.bmp
C:\WINDOWS\SYSTEM32\epsjmlsnml.bmp
C:\WINDOWS\SYSTEM32\ihcbalkbmh.bmp
C:\WINDOWS\SYSTEM32\ahonitkfqd.bmp
C:\WINDOWS\SYSTEM32\ehkjqhsral.bmp
C:\WINDOWS\SYSTEM32\kjmhobehsnahcj.bmp
C:\WINDOWS\SYSTEM32\fihorqhcbel.bmp
C:\bCST.exe
C:\WINDOWS\SYSTEM32\mhofml.bmp
C:\qcojteuj.exe
C:\ihso.exe
C:\opgr.exe
C:\dgfus.exe
C:\delself.bat
C:\WINDOWS\SYSTEM32\gbmlgjelkreh.bmp
C:\WINDOWS\SYSTEM32\mmfpmjvk.ini
C:\WINDOWS\SYSTEM32\h323msp.dll
C:\WINDOWS\SYSTEM32\h323.tsp
C:\WINDOWS\SYSTEM32\mf3216.dll
C:\WINDOWS\SYSTEM32\itkfqtgrmh.bmp
C:\WINDOWS\SYSTEM32\mhcnipknmh.bmp
C:\WINDOWS\SYSTEM32\japgn.bmp
C:\WINDOWS\SYSTEM32\psfepcbmlkr.bmp
C:\WINDOWS\SYSTEM32\srqdgnepcrihgf.bmp
C:\WINDOWS\SYSTEM32\sralsfmlsbqpcr.bmp
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\win.exe
Folder::
C:\Program Files\Spy-Rid
C:\Documents and Settings\Administrator\Application Data\spy-rid.com
C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner
C:\Program Files\DivX
C:\Documents and Settings\valor\Application Data\TrustedAntivirus
Driver::
Legacy_CMDSERVICE
Legacy_DHLP
Legacy_EIM61
Legacy_LANMANDRV
Legacy_NETWORK_MONITOR
Legacy_USB80233
Legacy_VGY41
Service_Eim61
Service_lanmandrv
Service_USB80233
Service_Vgy41
Service_VGY41
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DD62512-6C11-42C9-9BD8-846B13B3D524}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF421255-5C36-4B91-A162-E19F4813419F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrspmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.
In your next reply (please include):
Fresh HijackThis log
ComboFix.txt
OTMoveIt2 log
~Ltangel~
Windows and system security is my priority.
This message has been edited since posting. Last time this message was edited on 18. April 2008 @ 12:32
|
|
catdrugn
Junior Member
|
18. April 2008 @ 23:15 |
Link to this message
|
Ltangel,
1) I followed instructions for OTMoveIt2. Here's the log:
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\wsnpoem.sys not found.
File/Folder C:\WINDOWS\system32\braviax.exe not found.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04182008_195724
Files moved on Reboot...
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
2) I followed instructions for ComboFix. It did the same thing it did before and I could not locate the log in the C: drive. It did not ask for a reboot.
Here's the latest HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:16 PM, on 4/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 7306 bytes
Will wait for your reply. THANK YOU!
|
Member
|
19. April 2008 @ 09:26 |
Link to this message
|
Hey catdrugn,
Strange that ComboFix didn't work, seems like something is blocking it. Let's try the following.
1) Run SDFix
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
2) Run FileFind
Please download FileFind from Atribune.
Unzip the file and save it to your desktop.
To run FileFind, please do the following:[list]
[*]Click on FileFind.exe
[*]In the box labeled " Directory"
[*]Enter Drive C:\
[*]In the box labeled " File"
[*]Enter wsnpoem.sys
[*]Now click on the " Search" button
[*]Once the utility has found the files click on " Export"
[*]A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
[*]NOTE: The notepad is saved on your C:\ drive as " Export.txt"
3)Run Dr WebCureIT
Download Dr.Web CureIt to the desktop:
[*]Doubleclick the drweb-cureit.exe file and Allow to run the express scan
[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[*]Once the short scan has finished, mark the drives that you want to scan.
[*]Select all drives. A red dot shows which drives have been chosen.
[*]Click the green arrow at the right, and the scan will start.
[*]Click 'Yes to all' if it asks if you want to cure/move the file.
[*]When the scan has finished, in the menu, click file and choose save report list
[*]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
In your next reply (please include):
Fresh HijackThis log
Report.txt
DrWebCureIT scan log
FileFind log (Export.txt)
Go!
~Ltangel~
Windows and system security is my priority.
This message has been edited since posting. Last time this message was edited on 19. April 2008 @ 09:32
|
|
catdrugn
Junior Member
|
19. April 2008 @ 11:23 |
Link to this message
|
Ltangel,
I sure appreciate your determination!
A couple of notes before I post the logs:
When I ran FileFind and searched for wsnpoem.sys, the file "could not be found". Therefore, nothing was exported and the log was blank.
When I scanned with Dr Web, several files were found and I selected "cure" as instructed. One file inparticular (I failed to write down the file name) could not be cured. I had the option of deleting, renaming, or moving but I did none of those since I didn't want to make a choice without your instruction.
Here are the logs (all but the FileFind):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:52 AM, on 4/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 6999 bytes
SDFix: Version 1.172
Run by Administrator on Sat 04/19/2008 at 07:48 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\ADGJQT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOBIH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHONIT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\CBIHKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKJQH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EPSJML~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\FIHORQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GBITKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GBMLGJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\IHCBAL~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\IHCBAT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ITKFQT~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JAPGN.BMP - Deleted
C:\WINDOWS\SYSTEM32\KBAHOJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\KJMHOB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MDSJQPCB.BMP - Deleted
C:\WINDOWS\SYSTEM32\MHCNIP~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MHOFML.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQHSJM~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\OFETSB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\POREDSB.BMP - Deleted
C:\WINDOWS\SYSTEM32\PSFEPC~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\REHOJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\SRALSF~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\SRQDGN~1.BMP - Deleted
C:\10.TMP - Deleted
C:\11.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\18.TMP - Deleted
C:\19.TMP - Deleted
C:\1A.TMP - Deleted
C:\1B.TMP - Deleted
C:\1C.TMP - Deleted
C:\1D.TMP - Deleted
C:\22.TMP - Deleted
C:\23.TMP - Deleted
C:\24.TMP - Deleted
C:\25.TMP - Deleted
C:\5.TMP - Deleted
C:\7.TMP - Deleted
C:\8.TMP - Deleted
C:\9.TMP - Deleted
C:\B.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\12.TMP - Deleted
C:\17.TMP - Deleted
C:\1E.TMP - Deleted
C:\6.TMP - Deleted
C:\C.TMP - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\ctfmon.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\QuickTime\QTTask.exe
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 07:53:26
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 14 Jul 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 14 Jul 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL0269.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL0792.tmp"
Wed 27 Dec 2006 34,816 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1144.tmp"
Wed 27 Dec 2006 34,304 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1170.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1355.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1496.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL1630.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2314.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2535.tmp"
Wed 27 Dec 2006 35,328 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2672.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2906.tmp"
Tue 26 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL2913.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3003.tmp"
Wed 27 Dec 2006 31,744 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3044.tmp"
Wed 27 Dec 2006 35,840 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3537.tmp"
Wed 27 Dec 2006 35,328 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL3620.tmp"
Wed 27 Dec 2006 32,256 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL4061.tmp"
Wed 27 Dec 2006 34,816 A..H. --- "C:\Documents and Settings\valor1\My Documents\~WRL4067.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0001.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0002.tmp"
Mon 17 Sep 2007 36,864 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0004.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL0005.tmp"
Mon 17 Sep 2007 35,840 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL1671.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3040.tmp"
Mon 17 Sep 2007 32,768 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3366.tmp"
Mon 17 Sep 2007 29,696 A..H. --- "C:\Documents and Settings\valor\My Documents\New Folder\~WRL3665.tmp"
Thu 20 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT58.tmp"
Thu 20 Mar 2008 101,846,427 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\download\BIT2E.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0001.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0002.tmp"
Mon 17 Sep 2007 36,864 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0004.tmp"
Mon 17 Sep 2007 32,256 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL0005.tmp"
Mon 17 Sep 2007 35,840 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL1671.tmp"
Mon 17 Sep 2007 30,208 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3040.tmp"
Mon 17 Sep 2007 32,768 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3366.tmp"
Mon 17 Sep 2007 29,696 A..H. --- "C:\Documents and Settings\valor\Local Settings\Application Data\Microsoft\CD Burning\New Folder\~WRL3665.tmp"
Finished!
1falK8pP.exe;C:\WINDOWS\System32;Trojan.Packed.418;Deleted.;
mbreseti.dll;C:\WINDOWS\System32;Trojan.AVKill.408;Deleted.;
Process.exe;C:\WINDOWS\System32;Tool.Prockill;;
uynhuahp.dll;C:\WINDOWS\System32;Trojan.Virtumod.269;Deleted.;
bCST.exe;C:\;Trojan.Packed.424;Deleted.;
qcojteuj.exe;C:\;Trojan.Fakealert.458;Deleted.;
The computer continues to run well AND instead of the blank, blue desktop, the windows desktop is back!
Will await your instructions. THANK YOU!
|
Member
|
19. April 2008 @ 22:12 |
Link to this message
|
Hey catdrugn,
Good job, your HijackThis log looks much better. :)
You said there is a file that you can't remove with DrWebCureIt, can you please let me see the scan log please?
Thanks.
~Ltangel~
Windows and system security is my priority.
|
|
catdrugn
Junior Member
|
20. April 2008 @ 09:55 |
Link to this message
|
|
Here's the log from the good doctor: :-)
1falK8pP.exe;C:\WINDOWS\System32;Trojan.Packed.418;Deleted.;
mbreseti.dll;C:\WINDOWS\System32;Trojan.AVKill.408;Deleted.;
Process.exe;C:\WINDOWS\System32;Tool.Prockill;;
uynhuahp.dll;C:\WINDOWS\System32;Trojan.Virtumod.269;Deleted.;
bCST.exe;C:\;Trojan.Packed.424;Deleted.;
qcojteuj.exe;C:\;Trojan.Fakealert.458;Deleted.;
All the files were deleted except for this one:
Process.exe;C:\WINDOWS\System32;Tool.Prockill;;
I remember seeing the "prockill" name in the window that said "file could not be deleted".
Hope that helps.........
|
Member
|
20. April 2008 @ 10:42 |
Link to this message
|
No worries, process.exe is from SmitfraudFix, a tool we used during the fix. :)
I'm looking at your logs right now, I'll propose a fix once I'm done.
~Ltangel~
Windows and system security is my priority.
|
Member
|
20. April 2008 @ 10:58 |
Link to this message
|
Hey catdrugn,
First, please disable your Spybot Teamtimer by clicking on the SpyBot icon in system tray and selecting Exit Spybot-S&D Resident.
Next, please remove the ComboFix you have now by going to Start>Run and typing ComboFix /u. There should be a confirmation that ComboFix is removed.
Download ComboFix again from one of the locations below, and save it to your Desktop.
Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Go!
~Ltangel~
Windows and system security is my priority.
|
|
catdrugn
Junior Member
|
20. April 2008 @ 20:44 |
Link to this message
|
Hi Ltangel!
Here are the logs:
ComboFix 08-04-20.2 - Administrator 2008-04-20 17:34:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.249 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\alefdlfh.ini
C:\WINDOWS\SYSTEM32\cvkunnal.ini
C:\WINDOWS\SYSTEM32\gayseknv.ini
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\00014541.uf.ren
C:\WINDOWS\system32\wsnpoem\audio.dll.ren
C:\WINDOWS\system32\wsnpoem\video.dll.ren
.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.
2008-04-19 07:59 . 2008-04-19 07:59 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-04-19 07:45 . 2008-04-19 07:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-16 08:12 . 2008-04-16 08:12 1,018,520 --a------ C:\fsbl.exe
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\20.tmp
2008-04-15 20:21 . 2008-04-15 20:21 47,104 --a------ C:\1F.tmp
2008-04-08 14:23 . 2008-04-08 14:24 48,640 --a------ C:\21.tmp
2008-04-08 14:23 . 2008-04-08 14:23 47,104 --a------ C:\13.tmp
2008-04-08 13:56 . 2008-04-17 13:49 2,026 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-08 13:53 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-08 13:53 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-08 13:53 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-08 13:53 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-08 13:53 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-08 13:53 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-08 13:53 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-08 13:17 . 2008-04-08 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 10:30 . 2008-04-08 15:04 481 --a------ C:\WINDOWS\wininit.ini
2008-04-08 09:49 . 2008-04-08 09:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 09:49 . 2008-04-08 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 09:46 . 2008-04-08 09:46 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-04-08 09:46 . 2008-04-08 09:46 114,688 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-04-08 09:46 . 2008-04-08 09:46 40,960 --a------ C:\WINDOWS\SYSTEM32\zentray.exe
2008-04-08 09:46 . 2008-04-08 09:46 28,672 --a------ C:\WINDOWS\SYSTEM32\dpmw32.exe
2008-04-08 09:43 . 2008-04-08 09:44 47,104 --a------ C:\15.tmp
2008-04-08 09:05 . 2008-04-08 10:06 414 --ahs---- C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
2008-03-21 11:27 . 2008-03-21 11:36 <DIR> d-------- C:\Program Files\Spy-Rid
2008-03-21 11:27 . 2008-03-21 11:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\spy-rid.com
2008-03-21 00:59 . 2008-03-21 00:59 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 00:31 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-21 00:31 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:07 --------- d-----w C:\Program Files\DivX
2008-04-08 17:35 --------- d-----w C:\Program Files\QuickTime
2008-03-20 09:25 --------- d-----w C:\Program Files\EasySpywareCleaner
2008-03-20 09:17 --------- d-----w C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
2008-03-19 12:49 92 ----a-w C:\delself.bat
2008-03-19 12:49 58,368 ----a-w C:\ihso.exe
2008-03-19 12:49 14,336 ----a-w C:\opgr.exe
2008-03-19 12:49 13,824 ----a-w C:\dgfus.exe
2008-03-15 17:30 --------- d-----w C:\Documents and Settings\valor\Application Data\TrustedAntivirus
2008-03-14 11:53 0 --sha-w C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
2008-03-13 12:17 844 ----a-w C:\Documents and Settings\valor\win.exe
2008-03-09 03:05 --------- d-----w C:\Program Files\Java
2008-02-12 20:46 3,113,024 ----a-w C:\Program Files\ica32t.exe
2007-07-16 17:31 18,164,640 ----a-w C:\Program Files\aaw2007.exe
2006-12-07 16:28 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-04-08 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-04-08 09:46 114688]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-08 09:46 135251]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2008-04-08 09:46 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-04-08 09:46 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-04-08 09:46 286720]
"NWTRAY"="NWTRAY.EXE" [2001-12-18 10:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"="command /c del C:\WINDOWS\SYSTEM32\wsnpoem\video.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\Program Files\Novell\ZENworks\NalExpEx.dll [2003-05-05 18:34 131072]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Eim61.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 02:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 02:31]
R2 BlankScr;HBDevice;C:\WINDOWS\System32\drivers\BlankScr.sys [2003-03-18 15:26]
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys [2003-03-18 12:16]
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys [2003-03-18 12:16]
R2 Prometheus Wake-On-LAN Status Agent;Novell ZfD Wake on LAN Status Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe [2003-03-18 11:40]
R2 Remote Management Agent;Novell ZfD Remote Management;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2003-05-22 11:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 03:00]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2003-03-10 16:10]
S3 nscmnt;Novell Local Security Context Manager;C:\WINDOWS\System32\drivers\novell\nscmnt.sys [2002-07-12 07:36]
S3 xauthnt;Novell XTier Authentication Service;C:\WINDOWS\System32\drivers\novell\xauthnt.sys [2002-06-17 12:32]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 19:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 17:37:58
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\SYSTEM32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Novell\ZENworks\NALNTSRV.EXE
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-20 17:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 00:40:46
ComboFix2.txt 2008-04-16 03:45:45
Pre-Run: 30,588,149,760 bytes free
Post-Run: 30,553,161,728 bytes free
162 --- E O F --- 2008-04-16 15:04:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:47 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=204.52.66.123:80;https=204.52.66.123:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;mail;helpdesk;devhaht2000;devhaht2000bak;hahtnt;flweb;161.125.121.20;161.125.202.45;4.21.148.155;127.0.0.1;<local>;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA7581] command /c del "C:\WINDOWS\SYSTEM32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1205999457586
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
--
End of file - 7380 bytes
|
Member
|
20. April 2008 @ 21:22 |
Link to this message
|
no wonder you are infected catdrugn, you are browsing the internet with a machine runnin xp sp1 and ie6 which is very dangerous, you can follow the steps that the guys here are giving you but to be honest there you won't get rid of 100$ of the viruses/spyware on the computer so my advice is to back up your important files to a USB Drive, CD, etc, then take some system recovery disks or the Windows install disks and reinstall Windows, once that is done make sure the Windows Firewall is on, and if you have a router that is another firewall which is even better because it is hardware then run windows update till there is no new updates, this may take a ton of reboots but when all that is done download IE7, it is a hell of a lot safer then IE6 also download Mozilla Firefox which in my opinion then get your AV/AntiSpy programs I recommend Nod32 to Pay AVG for Free, and for AntiSpyware Windows Defender, Adaware, and Spybot. Make sure you turn on automatic updates in Windows, and make sure you have a router and the Windows firewall turned on and you should be fine you dont need 3rd party firewalls like Zonealarm they cause more trouble then they are worth.
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
Member
|
20. April 2008 @ 21:41 |
Link to this message
|
|
Hey tucker001,
Thanks so much for your inputs. I am aware of him running XP SP1 and I will be asking him to update once I clean up his computer. While your advice is well-intentioned, it can cause confusion to the user asking for help, as they will not know who's advice to follow.
Thanks for your understanding and please do not do so in the future.
Windows and system security is my priority.
|
|
Advertisement
|
|
|
Member
|
20. April 2008 @ 22:28 |
Link to this message
|
Hey catdrugn,
Good job, your computer is close to being clean. :) Just a few more scans and cleanups to do before closing this.
Please follow my instructions closely and ask if you have any doubts.
Ensure that your real time protection is disabled.
1) Fix with HijackThis
Please reopen HijackThis, and click on "Do a system scan only" on Main Menu. Put a check beside the entries below:
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
Close all other browsers/windows including this one, and click "Fix Checked". Close HijackThis.
2) Fix with ComboFix
1. Please open Notepad
[*] Click Start , then Run
[*]Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the quotebox below into the Notepad window:
Quote:
File::
C:\20.tmp
C:\1F.tmp
C:\21.tmp
C:\13.tmp
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\15.tmp
C:\WINDOWS\SYSTEM32\rwyjmmvu.ini
C:\delself.bat
C:\ihso.exe
C:\opgr.exe
C:\dgfus.exe
C:\Documents and Settings\valor\Application Data\0047d937950af9f834e3b41c7ef846a5801957e94ae966ef01.dat
C:\Documents and Settings\valor\win.exe
Folder::
C:\Program Files\Spy-Rid
C:\Documents and Settings\Administrator\Application Data\spy-rid.com
C:\Documents and Settings\valor\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner
C:\Program Files\DivX
C:\Documents and Settings\valor\Application Data\TrustedAntivirus
C:\Program Files\PartyGaming
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7581"=-
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt
[*]A new HijackThis log.
3) Scan with Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select "Perform Quick Scan", then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/b]
In your next reply (please include):
Fresh HijackThis log
MBAM scan log
C:\ComboFix.txt
Description of how the computer is performing
Go!
~Ltangel~
Windows and system security is my priority.
|
|
