Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Downloader.Delf.AST [CLOSED]

Started by weaver6697 , Feb 11 2008 12:35 PM

  • This topic is locked This topic is locked

#1
weaver6697
Posted 11 February 2008 - 12:35 PM

weaver6697

    New Member

  • Member
  • Pip
  • 2 posts
I ran AVG and have a Trojan Horse Downloader.Delf.AST infection that keeps coming back. It shows the infection in C:\WINDOWS\system32\comdlg32d.dll. AVG also show a viruse named Exploit in C:\Documents and Settings\ac0bb\Local Settings\Temporary Internet Files\Content.IE5\2WW5LG0F\u[2].htm and C:\Documents and Settings\ac0bb\Local Settings\Temporary Internet Files\Content.IE5\ SYIM9KZ8\u[1].htm. I don't have any system restore points anymore and I have tried to get rid of this using Sypbot and Symantic also without any luck.

Please Help!!
  • 0

Advertisements

#2
Rorschach112
Posted 11 February 2008 - 02:52 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
weaver6697
Posted 11 February 2008 - 04:23 PM

weaver6697

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
ComboFix 08-02-12.1 - ac0bb 2008-02-11 16:40:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT -5:00]
Running from: C:\Documents and Settings\ac0bb\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ac0bb\g2mdlhlpx.exe
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\system32\comdlg32d.dll
C:\WINDOWS\system32\dmocxt.dll
C:\WINDOWS\system32\drivers\jnisnsfb.dat
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\LEGACY_JCPFMPLZ
-------\LEGACY_OZMBIQRE
-------\Iprip
-------\jcpfmplz
-------\nm
-------\ozmbiqre


((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-09 16:15 . 2004-08-27 11:44 3,467 --a------ C:\WINDOWS\saplogon.ini
2008-02-09 16:15 . 2004-08-27 11:37 184 --a------ C:\WINDOWS\SAPMSG.ini
2008-02-09 16:09 . 2008-02-09 16:09 <DIR> d-------- C:\Program Files\Common Files\ESRI
2008-02-09 16:09 . 2005-09-23 09:55 1,146,880 --a------ C:\WINDOWS\system32\wdba.dll
2008-02-09 16:09 . 2003-10-21 21:47 56,832 --a------ C:\WINDOWS\system32\grfcxl32.dll
2008-02-09 16:09 . 2003-10-21 21:47 34,816 --a------ C:\WINDOWS\system32\grsapx32.dll
2008-02-09 16:06 . 2006-09-12 21:44 352,256 --a------ C:\WINDOWS\system32\sapfcpl.cpl
2008-02-09 16:06 . 2005-03-03 12:56 229,376 --a------ C:\WINDOWS\system32\wdpdxl50.olb
2008-02-09 16:06 . 1998-06-26 20:22 68,640 --a------ C:\WINDOWS\system32\Gauge32.OCX
2008-02-09 16:06 . 2005-03-03 12:56 31,060 --a------ C:\WINDOWS\system32\wdpdvba.olb
2008-02-09 16:05 . 2008-02-09 16:05 <DIR> d-------- C:\Program Files\SAP
2008-02-09 16:05 . 2008-02-09 16:14 <DIR> d-------- C:\Program Files\Common Files\SAP Shared
2008-02-09 16:04 . 2008-02-09 16:10 <DIR> d--h----- C:\WINDOWS\SAPwksta
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Program Files\Common Files\Sage
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Program Files\Business Objects
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sage
2008-02-09 12:31 . 2008-02-09 12:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 12:31 . 2008-02-09 12:31 3,449 --a------ C:\WINDOWS\unins000.dat
2008-02-08 16:38 . 2008-02-08 16:38 99,614,720 --a------ C:\SLX_ac0bb_dat.sxd
2008-02-08 15:26 . 2008-02-08 15:26 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-08 15:26 . 2008-02-08 15:26 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-02-08 15:26 . 2008-02-08 15:26 35,072 --a------ C:\WINDOWS\system32\mzyqpkmp.dat
2008-02-08 15:25 . 2008-02-08 15:26 741,632 --a------ C:\WINDOWS\system32\bivfeksr.dat
2008-02-08 15:25 . 2008-02-08 15:25 42,752 --a------ C:\WINDOWS\system32\pukxcmwc.dat
2008-02-08 15:25 . 2008-02-08 15:25 36,608 --a------ C:\WINDOWS\system32\fomxwdms.dat
2008-02-08 11:23 . 2008-02-08 11:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-08 11:12 . 2008-02-08 11:12 <DIR> d-------- C:\Documents and Settings\ac0bb\Application Data\AdwareBot
2008-02-02 16:29 . 2008-02-02 16:29 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-02-02 15:37 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-02-02 15:37 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2008-02-02 15:37 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-02-02 15:37 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-02-02 15:37 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-02-02 15:37 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-02-02 15:22 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-02-02 15:22 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2008-01-31 13:17 . 2008-01-31 13:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-31 10:57 . 2008-01-31 10:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-31 10:57 . 2008-01-31 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-31 10:57 . 2008-02-12 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-31 10:57 . 2008-02-08 11:55 <DIR> d-------- C:\Documents and Settings\ac0bb\Application Data\AVG7
2008-01-29 00:03 . 2008-02-08 15:25 120,576 --a------ C:\WINDOWS\system32\twqgrbsz.dat
2008-01-28 23:56 . 2008-02-09 22:50 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-15 11:20 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-01-15 11:20 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2008-01-15 11:20 . 2001-08-17 22:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-01-15 11:20 . 2001-08-17 22:36 71,680 --a------ C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-01-15 11:20 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-01-15 11:20 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-15 10:31 . 2008-01-15 10:31 <DIR> d-------- C:\Program Files\Linksys Wireless-G Print Server
2008-01-15 10:31 . 2006-10-18 18:32 37,248 --a------ C:\WINDOWS\system32\lknuhub.sys
2008-01-15 10:31 . 2006-10-18 18:32 37,248 --a------ C:\WINDOWS\system32\drivers\lknuhub.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,648 --a------ C:\WINDOWS\system32\lknucmp.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,648 --a------ C:\WINDOWS\system32\drivers\lknucmp.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,136 --a------ C:\WINDOWS\system32\drivers\lknuhst.sys
2008-01-15 10:31 . 2006-10-18 18:35 1,393 --a------ C:\WINDOWS\system32\lknucmp.inf
2008-01-15 10:31 . 2006-10-18 18:36 1,371 --a------ C:\WINDOWS\system32\lknuhub.inf
2008-01-15 10:30 . 2007-02-28 21:58 813 -ra------ C:\setup.iss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-10 21:36 --------- d-----w C:\Program Files\SalesLogix
2008-02-10 15:25 --------- d-----w C:\Program Files\PokerStars
2008-02-09 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SalesLogix
2008-02-09 20:41 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\SalesLogix
2008-02-09 20:37 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\U3
2008-02-09 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-09 17:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 03:02 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\MSNGames
2008-02-06 03:33 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\Move Networks
2008-02-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 05:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-31 00:24 --------- d-----w C:\Program Files\Wave Systems Corp
2008-01-31 00:24 --------- d-----w C:\Program Files\Broadcom
2008-01-07 17:01 --------- d-----w C:\Program Files\Skyline
2008-01-07 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2008-01-01 18:34 --------- d-----w C:\Program Files\TabPlayer
2008-01-01 18:07 --------- d-----w C:\Program Files\Guitar Pro 5
2007-12-28 17:25 --------- d-----w C:\Program Files\Google
2007-12-19 20:07 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\ArcSoft
2007-12-19 05:16 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\Lexmark Productivity Studio
2007-12-14 04:16 --------- d-----w C:\Program Files\Wheelock NACEVAC 5
2007-12-13 15:36 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\webex
2007-12-13 15:00 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-12-12 06:38 --------- d-----w C:\Program Files\Verizon Wireless
2007-12-12 06:38 --------- d-----w C:\Program Files\Novatel Wireless
2007-12-12 05:49 --------- d-----w C:\Documents and Settings\Chris\Application Data\MSNGames
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\ac0bb\Desktop\Personal\HijackThis.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 08:08 1347584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 20:09 842584]
"PSDiagnosticM"="C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 16:29 315392]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 05:00 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-06-23 18:27 85696]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-31 13:22 579072]
"ccApp"="-" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-31 10:57 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 16:13:54 11000]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-30 14:26:14 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 15:23:32 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2004-07-20 09:34 851968 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 14:58 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-06-15 10:07 49152 c:\dell\E-Center\gtb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-30 14:26 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 16:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 16:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 14:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 17:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 13:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-05-25 09:16 49152 C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 09:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R2 SalesLogix Server Service;SalesLogix Server;"C:\Program Files\SalesLogix\SLXServer.exe" [2007-07-09 07:20]
R2 SlxSearch;SalesLogix SpeedSearch;"C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe" [2007-07-09 07:20]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-22 04:00]
R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 04:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 03:28]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2004-10-15 16:49]
S3 LKNUCMP;Linksys Network USB Composite Device;C:\WINDOWS\system32\DRIVERS\lknucmp.sys [2006-10-18 18:32]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PCASp50.sys []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 08:00:00 C:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job"
- C:\Program Files\AdwareBot\AdwareBot.exe
- C:\Program Files\AdwareBot
"2008-02-11 20:10:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-12 21:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F4DBB58D-BF78-4C7B-8145-783A3E248B19}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 16:47:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\SalesLogix\SLXLoggingServer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SalesLogix\SLXSystem.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-12 16:56:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 21:55:52
.
2008-02-02 21:11:58 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16, on 2008-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\SalesLogix\SLXServer.exe
C:\Program Files\SalesLogix\SLXLoggingServer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SalesLogix\SLXSystem.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Money Toolbar Add-in\StockDataClient.exe
C:\Program Files\Weather Add-in for Windows Live Toolbar\WeatherDataClient.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7155250B-24F7-4187-B77C-CA2C9C1BF869}: NameServer = 66.174.95.44 69.78.96.14
O23 - Service: SalesLogix Server (SalesLogix Server Service) - Sage Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Sage Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe

--
End of file - 2939 bytes
  • 0

#4
Rorschach112
Posted 11 February 2008 - 05:56 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mzyqpkmp.dat
C:\WINDOWS\system32\bivfeksr.dat
C:\WINDOWS\system32\pukxcmwc.dat
C:\WINDOWS\system32\fomxwdms.dat
C:\WINDOWS\system32\twqgrbsz.dat
C:\WINDOWS\system32\AppCert\wsil32.dll
E:\LaunchU3.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppSecDll"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#5
Rorschach112
Posted 17 February 2008 - 04:30 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP