Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

downloader.Zlob [CLOSED]


  • This topic is locked This topic is locked

#1
Jigalow

Jigalow

    Member

  • Member
  • PipPip
  • 21 posts
Hello,

It's been a while since I have been here. I keep having a problem with F-secure popping up telling me that it has found this virus but it always just renames it.
It renames the file extension. I have run "FixIEDef.exe" "Smitfraud.exe" and "Combofix". I have a hijack log and a log from the combofix that I will post.


Hijack log


Logfile of HijackThis v1.99.1
Scan saved at 7:51:04 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Security stuff\HijackThis.exe

O1 - Hosts: 87.106.166.63 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\charter high-speed security suite\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE



Combofix log

ComboFix 08-02.05.3 - William 2008-02-05 19:42:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.259 [GMT -6:00]
Running from: C:\Documents and Settings\William\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-04 19:04 . 2008-02-04 19:40 1,662 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 11:07 . 2008-01-28 11:07 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-26 21:53 . 2008-01-28 11:05 <DIR> d-------- C:\Program Files\Real
2008-01-19 12:43 . 2008-01-19 12:43 <DIR> d-------- C:\Program Files\Usb to Serial Driver 1.12.25

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 17:07 --------- d-----w C:\Program Files\Common Files\Real
2008-01-28 17:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-28 17:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-28 11:56 --------- d-----w C:\Documents and Settings\William\Application Data\BitTorrent
2008-01-19 18:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 09:20 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-15 09:14 --------- d-----w C:\Program Files\Avanquest update
2007-12-15 09:14 --------- d-----w C:\Documents and Settings\William\Application Data\InstallShield
2007-12-15 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-14 15:02 --------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-12-14 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-08 01:54 92,064 ----a-w C:\Documents and Settings\William\mqdmmdm.sys
2007-09-08 01:54 9,232 ----a-w C:\Documents and Settings\William\mqdmmdfl.sys
2007-09-08 01:54 79,328 ----a-w C:\Documents and Settings\William\mqdmserd.sys
2007-09-08 01:54 66,656 ----a-w C:\Documents and Settings\William\mqdmbus.sys
2007-09-08 01:54 6,208 ----a-w C:\Documents and Settings\William\mqdmcmnt.sys
2007-09-08 01:54 5,936 ----a-w C:\Documents and Settings\William\mqdmwhnt.sys
2007-09-08 01:54 4,048 ----a-w C:\Documents and Settings\William\mqdmcr.sys
2007-09-08 01:54 25,600 ----a-w C:\Documents and Settings\William\usbsermptxp.sys
2007-09-08 01:54 22,768 ----a-w C:\Documents and Settings\William\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]
"WinMX"="C:\Program Files\WinMX\WinMX.exe" [2006-03-10 04:24 1069056]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 17:01 43008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 05:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 08:12 90112]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 06:45 356352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 11:05 185896]

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Charter High-Speed Security Suite\HIPS\fshs.sys [2007-11-01 05:42]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2006-02-28 06:00]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 20:52:45 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:47:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 19:48:47
.
2008-01-09 09:03:17 --- E O F ---


Thanks!
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

It's been a while since I have been here. I keep having a problem with F-secure popping up telling me that it has found this virus but it always just renames it.

I can't see anything suspicious in your logs. Please let me know what exact file your F-Secure is finding all the time and where it is located.
  • 0

#3
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP